HealthEquity, Inc., a company that provides health savings accounts (HSAs) and other health financial services, is notifying approximately 4.3 million individuals that their personal and health information was compromised due to a data breach at a third-party vendor.
HealthEquity responded by taking immediate actions, including “disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor.”
The breach was identified on March 25, as disclosed in a regulatory filing with the Maine Attorney General’s Office.
The compromised data may include names, addresses, phone numbers, Social Security numbers, employee IDs, employer details, dependent information, and payment card information.
The company has not disclosed the identity of the affected vendor but will begin mailing notification letters to the impacted individuals starting August 9.
Ted Miracco, CEO, Approov had this to say:
“The HealthEquity breach starkly illustrates the dangers of relying solely on passwords for API access within the supply chain. This incident, which compromised not only PHI and PII but also financial information, highlights the extensive potential damage such vulnerabilities can cause. Robust multi-factor authentication, threat analytics for rapid response, and the use of short-lived tokens for API protection are imperative to safeguard sensitive data from similar breaches.”
I will be very interested to see who this vendor is, because this is pretty bad. And it reinforces the fact that when you use third parties, you have to be able to trust those third parties. Because you’re exposed to whatever they haven’t done to protect themselves from getting pwned.
Related
This entry was posted on July 30, 2024 at 8:59 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HealthEquity Data Breach Affects 4.3 Million
HealthEquity, Inc., a company that provides health savings accounts (HSAs) and other health financial services, is notifying approximately 4.3 million individuals that their personal and health information was compromised due to a data breach at a third-party vendor.
HealthEquity responded by taking immediate actions, including “disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor.”
The breach was identified on March 25, as disclosed in a regulatory filing with the Maine Attorney General’s Office.
The compromised data may include names, addresses, phone numbers, Social Security numbers, employee IDs, employer details, dependent information, and payment card information.
The company has not disclosed the identity of the affected vendor but will begin mailing notification letters to the impacted individuals starting August 9.
Ted Miracco, CEO, Approov had this to say:
“The HealthEquity breach starkly illustrates the dangers of relying solely on passwords for API access within the supply chain. This incident, which compromised not only PHI and PII but also financial information, highlights the extensive potential damage such vulnerabilities can cause. Robust multi-factor authentication, threat analytics for rapid response, and the use of short-lived tokens for API protection are imperative to safeguard sensitive data from similar breaches.”
I will be very interested to see who this vendor is, because this is pretty bad. And it reinforces the fact that when you use third parties, you have to be able to trust those third parties. Because you’re exposed to whatever they haven’t done to protect themselves from getting pwned.
Share this:
Like this:
Related
This entry was posted on July 30, 2024 at 8:59 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.