Cyberattackers Accessed HealthEquity Customer Info via Third Party

HealthEquity, a Utah-based health savings account (HSA) provider, has disclosed a data breach affecting 4.5 million customers across the US. The incident stemmed from a hack of a data repository maintained by a third party, a spokesperson confirmed.

The company said in the notice that a hacker managed to breach an "an unstructured data repository outside our core systems" containing customer data, making off with various kinds of personally identifiable information (PII). While the spokesperson confirmed that the repository was maintained by a third-party vendor, she declined to offer further details on the topography or supply chain implications beyond noting that internal systems, including transactional platforms and integrations, weren't impacted.

The stolen PII included a mix of benefits sign-up information that varied by customer. That mix could include name, address, phone number, employee ID, employer, Social Security number, and dependent information. In all, the heist offers crooks a treasure trove of social engineering information.

"By referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims," said Erich Kron, security awareness advocate at KnowBe4, in an emailed statement.  

Dwell Time & Response Anatomy

The initial access occurred on March 9, but it was only officially reported on June 26, according to a notice filed with the Maine Attorney General's Office. However, the dwell time for the cyberattackers before discovery was "much narrower" than that timeline would suggest, according to the company's spokesperson.

Rather than months, the attackers apparently went unnoticed for a little more than two weeks. The first inkling that there was a problem was a systems anomaly alert on March 25. HealthEquity said it took immediate action upon receiving the alert from its vendor, resolving the issue quickly and then kicking off an "extensive technical investigation and … data forensics" effort that lasted through June 10.

That was followed by a validation of the data theft that wrapped up June 26. After that, the company was finally able to file notifications with state authorities, and also notified the US Securities and Exchange Commission although it wasn't mandated to do so.

"We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor," the company said in a statement shared with Dark Reading. "This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for response."

The spokesperson also noted that incident response is an ongoing effort: HealthEquity is now in the process of notifying partners, clients and members, and is working with its vendors to prevent future incidents.

Protecting External Data Stores

In this case, the type of repository "outside core systems" the attackers accessed was one hosted by a third-party cloud provider. But that's not the only kind of external storage that organizations need to worry about protecting. Data can also be hosted in an internally maintained container, or even in shadow databases that employees maintain on their own for productivity. In all cases, a comprehensive data protection strategy is necessary to prevent HealthEquity-type incidents, researchers note—starting with gaining visibility on where that data is.

"This is a lesson in the protection of data outside of the most common systems," Kron said. "It is not unusual to find that employees have used tools such as spreadsheets to collect information and process it without the knowledge of the IT and security staff. This is often not malicious but done to make work easier and more efficient, however these additional copies of data are difficult to protect if they are unknown."

Erfan Shadabi, cybersecurity expert at comforte AG, says that organizations should ensure they have processes in place to secure data across such hybrid storage footprints. This could include "comprehensive vetting processes, regular audits, and robust contractual agreements to enforce strict security standards," he said.

"Prioritizing data-centric security techniques — such as encryption, tokenization, and secure access controls — is essential to safeguard sensitive information effectively," he added.

Specifically for third-party risk, "organizations must recognize that their security posture is intricately linked to the practices of their third-party vendors," he adds. "By focusing on securing data itself and not just the network, companies can reduce the risk of exposure and limit the impact of breaches when they occur."