Major U.S. health savings account administrator HealthEquity had information from 4.3 million individuals exfiltrated following the infiltration of an online data storage location using a compromised third-party vendor's user accounts earlier this year, reports The Register.
Information stolen from individuals varies but may include a combination of names, telephone numbers, home addresses, and Social Security numbers, as well as employer names, employee IDs, general dependent details, and payment card data, according to a breach notification letter from HealthEquity, which noted that there has been no evidence indicating any misuse of the stolen data.
HealthEquity also emphasized that none of its systems were affected by the incident as it disclosed efforts to mitigate the breach and strengthen its security defenses.
"As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor. Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture," said HealthEquity.
