HealthEquity Data Breach Affects 4.3M Customers

Health savings account (HSA) company HealthEquity’s March data breach affected some 4.3 million people, the firm has now admitted.

A data breach notice filed with the office of the attorney general in Maine revealed millions of customers likely had their personal and protected health information stolen.

HealthEquity first noticed a potential security incident in March and analyzed its data until confirming in June that a threat actor had accessed the company’s data repository.

HealthEquity found that a vendor’s user account had access to an online data storage location, resulting in them having the ability to access “a limited amount of data stored in a storage location outside [its] core systems.”

The data included sign-up information for accounts, including names, addresses, telephone and Social Security numbers.

Payment card information was also likely taken, though the firm said the breach did not affect card numbers or information on HealthEquity’s own debit card.

In its Q1 report published in June, HealthEquity said it had 16 million total accounts, meaning the breach affected some 27% of its total users.

Maine, like several other states, requires businesses to provide notice upon discovery of a data breach and its effect on the local population. The notice suggests around 13,480 Maine residents were affected by the breach.

Related:Rite Aid Data Breach Impacts 2.2M Customers, Personal Data Exposed

HealthEquity is now required to inform impacted customers. In a letter, the company has offered customers credit identity monitoring, insurance and restoration services for two years, free of charge.

“We sincerely regret that this incident occurred,” the letter to customers reads. “HealthEquity takes the security of personal information seriously, and we will continue to work diligently to protect the information entrusted to us.”

HealthEquity’s data breach comes as new research from IBM said that the global average cost of a data breach reached $4.88 million in 2024. The 2024 iteration of IBM’s annual Cost of a Data Breach report suggests breach costs have increased by 10% from 2023.