HealthEquity, a custodian of more than 3.4 million health savings accounts, has had a data breach after one employee’s email account was accessed by an unauthorized person. There were 23,000 individuals impacted by this incident across all of the accounts HealthEquity serves.
Compromised protected health information in the email included employee names, HealthEquity member IDs, employer names, HealthEquity employer IDs, various types of healthcare accounts, deduction amounts and Social Security numbers for some Michigan-based employees. IT security experts commented below.
Tim Erlin, VP at Tripwire:
“The healthcare industry is a growing target for cyber attacks because of the highly valuable information stored within these organisations.
The biggest risk for those affected is identity theft, given that social security numbers were compromised. HealthEquity seems to realize this fact, and as offered identity theft monitoring services in addition to the usual credit monitoring. The fact that this breach was detected 2 days after it occurred is notable, and a sign that HealthEquity was paying attention.”
Aaron Zander, Senior IT Engineer at HackerOne:
“Employee behaviour is something many companies seek to punish. But punishment doesn’t teach good behaviour. Training and education are important. Enabling security is even more crucial.
Companies who blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money, or energy driving home security.
Preventing phishing attacks can be closely tied to corporate culture. Is it normal for an exec to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.”