HealthEquity Data Breach Impacts 4.3 Million People

HealthEquity, Inc., a prominent administrator of health savings accounts (HSAs) and other consumer-directed benefits, recently experienced a significant data breach. The breach came to light on June 26, 2024, following an alert on March 25, 2024, that indicated a systems anomaly. After extensive technical investigation and data forensics, it was discovered that unauthorized access and potential disclosure of sensitive information had occurred.

The breach affected a substantial number of individuals, with 1,549 people impacted in the United States. Notably, the state of Texas reported 374,264 affected individuals, while Maine had 13,480, and Massachusetts had 2. The breach involved unauthorized access to an unstructured data repository outside HealthEquity's core systems, managed by one of their vendors.

The types of consumer information exposed in this breach include:

• First name, last name, address, and telephone number
• Employee ID and employer information
• Social Security Number
• Dependent information
• Payment card information (excluding payment card number or HealthEquity debit card information)
• Medical and health insurance information
• Date of birth

The breach was disclosed to various authorities, including the Massachusetts Attorney General's office on January 27, 2025, and the U.S. Department of Health and Human Services on December 20, 2024. Additional details can be found on the California Attorney General's website and the Maine Attorney General's website.

HealthEquity's Response

In response to the breach, HealthEquity, Inc. took immediate action to mitigate the impact and prevent further unauthorized access. Upon detection of the unauthorized activity, they launched a thorough investigation and engaged third-party experts to assess the situation. The company disabled all potentially compromised vendor accounts, terminated active sessions, blocked associated IP addresses, and implemented a global password reset for the affected vendor.

To support those affected, HealthEquity has arranged for credit identity monitoring, insurance, and restoration services through Equifax, available for two years at no cost. Affected individuals are encouraged to activate these services by following the instructions included in the notification letter. Additionally, HealthEquity has enhanced its security and monitoring efforts, internal controls, and overall security posture.

If you have been affected by this breach, it is crucial to monitor your financial statements, credit reports, and other accounts for any unusual activity. HealthEquity has provided a dedicated service center to address any questions or concerns, which can be reached toll-free at 888-244-3079.

About HealthEquity, Inc.

HealthEquity, Inc. is a leading administrator of health savings accounts (HSAs) and other consumer-directed benefits, including FSAs, HRAs, COBRA, and commuter benefits. The company partners with benefits advisors, health plans, and retirement providers to assist over 13 million members in achieving long-term health and financial well-being. For more information about HealthEquity, visit their official website.