HealthEquity experienced a data breach that impacted around 4.3 million individuals. According to the data breach notice filed with the Maine Attorney General’s office, the breach occurred on March 9, 2024 and was discovered on June 26, 2024. 

Security leaders weigh in 

Erich Kron, Security Awareness Advocate at KnowBe4: 

“Unfortunately, the theft of PHI can be very detrimental to those impacted as there is a lot of sensitive information, including social security numbers and, in many cases, information about procedures or ailments that may be embarrassing. It is also information that can be used for subsequent social engineering attacks. By referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims.

“This is also a lesson in the protection of data outside of the most common systems. It is not unusual to find that employees have used tools such as spreadsheets to collect information and process it without the knowledge of the IT and security staff. This is often not malicious but done to make work easier and more efficient, however these additional copies of data are difficult to protect if they are unknown.

“Organizations that deal with PHI or significant amounts of PII should ensure that employees are educated and trained about the proper handling of sensitive information. A good security culture, with employees considering the security implications of data duplication, is an important step toward reducing or eliminating situations such as this.”

Erfan Shadabi, cybersecurity expert at comforte AG:

“Organizations are only as secure as their weakest link. This breach, stemming from a compromised third-party vendor account, highlights the urgent need for rigorous vetting and continuous monitoring of all third-party relationships. The increasing frequency of third-party data breaches necessitates a proactive approach to security. Companies must adopt comprehensive vetting processes, regular audits and robust contractual agreements to enforce strict security standards. Prioritizing data-centric security techniques — such as encryption, tokenization and secure access controls — is essential to safeguard sensitive information effectively. Organizations must recognize that their security posture is intricately linked to the practices of their third-party vendors. By focusing on securing data itself and not just the network, companies can reduce the risk of exposure and limit the impact of breaches when they occur.”