HealthEquity discloses partner’s account compromised by unauthorized third party

In a regulatory filing last night, HealthEquity disclosed that earlier this year, the company became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner. “The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue. The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems. The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm. The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations. The Company is in the process of notifying its partners and clients, as well as identifying and notifying individual members whose information may have been involved. The Company expects to offer complimentary credit monitoring and identity restoration services. The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results. The Company is continuing to evaluate the impact of this incident, including remediation expenses and other potential liabilities. The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner,” the filing stated.