{"id":102258,"date":"2024-08-02T15:25:00","date_gmt":"2024-08-02T22:25:00","guid":{"rendered":"https:\/\/cyberguy.com\/?p=102258&preview=true&preview_id=102258"},"modified":"2024-08-19T22:27:13","modified_gmt":"2024-08-20T05:27:13","slug":"4-3-million-americans-exposed-in-massive-health-savings-account-data-breach","status":"publish","type":"post","link":"https:\/\/cyberguy.com\/news\/4-3-million-americans-exposed-in-massive-health-savings-account-data-breach\/","title":{"rendered":"4.3 million Americans exposed in massive health savings account data breach"},"content":{"rendered":"
Health savings account (HSA) provider HealthEquity has suffered a massive data breach that has put over 4.3 million Americans at risk. The company, which specializes in providing HSAs, flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans, confirmed threat actors stole sensitive health data using a partner’s compromised credentials. This includes full names, home addresses, telephone numbers, employer and employee IDs, Social Security numbers, and more.<\/p>\n
GET SECURITY ALERTS, EXPERT TIPS \u2013 SIGN UP FOR KURT\u2019S NEWSLETTER \u2013 THE CYBERGUY REPORT HERE<\/b><\/a><\/p>\n <\/p>\n <\/p>\n HealthEquity has confirmed<\/a> that it suffered a data breach in which the personal information of millions of Americans has been compromised. In a Form 8-K filing submitted<\/a>\u00a0on July 2, 2024, the company disclosed that hackers gained access to this sensitive health data after using a partner\u2019s compromised credentials.<\/p>\n HealthEquity became aware of the systems anomaly on March 25, 2024, and the investigation continued until June 10, 2024. \u00a0The company’s data breach notice reads in part:<\/p>\n We discovered some unauthorized access to and potential disclosure of protected health information and\/or personally identifiable information stored in an unstructured data repository outside our core systems. On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved.<\/p><\/blockquote>\n As for notifications, the company tells us that the process for notifying customers \u2014 both businesses and individuals \u2014 is ongoing. Affected individuals will receive a notification by mail or email based on their account communications preferences.<\/p>\n The company says that the affected data was sign-up information for accounts and benefits that it administers. The data may include information in one or more of the following categories: first name, last name, address, telephone number, employee ID, employer, social security number, health card number, health plan member number, dependent information (for general contact information only), HealthEquity benefit type, diagnoses, prescription details, and payment card information (but not payment card number), and \/ or HealthEquity account type. Not all data categories were affected for every member.<\/p>\n HealthEquity says it is not aware of any actual or attempted misuse of the information due to this incident to date. We reached out to HealthEquity, and a representative from the company provided CyberGuy with this statement:<\/p>\n The entire Purple Team is committed to educating, assisting and supporting our partners, clients and members through this incident. We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor. This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for response. Additionally, we formally filed notification with the Securities and Exchange Commission, which wasn\u2019t required, but represents our concern and commitment to transparent communication. We regret the inconvenience caused by the incident and are working to minimize disruption while also taking steps to help prevent this from happening in the future. Partner and client notifications are underway, and we are thankful for the professionalism and understanding we\u2019re experiencing thus far.<\/p><\/blockquote>\n <\/p>\n HERE\u2019S WHAT RUTHLESS HACKERS STOLE FROM 110 MILLION AT&T CUSTOMERS<\/a><\/strong><\/p>\n <\/p>\n HealthEquity says it has secured the affected data repository. The vendor’s user accounts, which had access to an online data storage location, were compromised, allowing hackers to access data stored in that location. HealthEquity has disabled all potentially compromised vendor accounts, terminated all active sessions, and blocked all IP addresses linked to the threat actor’s activity. The company has also implemented a global password reset for the impacted vendor.<\/p>\n The HAS provider has also arranged credit identity monitoring, insurance, and restoration services for those impacted. These services will be available for two years, free of charge, through Equifax.<\/p>\n <\/p>\n WORLD\u2019S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM<\/a><\/strong><\/p>\n <\/p>\n If you suspect you\u2019ve been impacted by this data breach, follow these steps to protect your personal data and privacy.<\/p>\n 1) Invest in identity theft protection:\u00a0<\/strong>If you have been affected by a data breach, scammers may try to impersonate you to gain access to your private information. The best thing you can do to protect yourself from this type of fraud is to subscribe to an identity theft service.<\/p>\n Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account.\u00a0 They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.<\/p>\n My top recommendation is\u00a0Identity Guard<\/a>. One of the best parts of using\u00a0Identity Guard<\/a>\u00a0is that they might include identity theft insurance of\u00a0up to 1 million dollars to cover losses and legal fees<\/strong>\u00a0and a white glove fraud resolution team where a\u00a0US-based case manager helps you recover any losses<\/strong>.<\/p>\n CyberGuy\u2019s Exclusive Offer:\u00a0<\/strong>Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99\/mo (lowest offered anywhere) for the first year.\u00a0<\/a><\/p>\n <\/p>\n 2) Invest in removal services:<\/strong> Investing in removal services is beneficial, particularly in the wake of data breaches like the recent one experienced by HealthEquity. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.\u00a0<\/span><\/p>\n A service like <\/span>Incogni <\/span><\/a>can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.<\/span><\/p>\n Special for CyberGuy Readers (60% off):\u00a0<\/strong>\u00a0Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through\u00a0the links<\/a>\u00a0in this article of\u00a0$5.99\/month for one person (billed annually)<\/a>\u00a0or\u00a0$13.19\/month for your family (up to 4 people) on their annual plan<\/a>\u00a0and get a fully automated data removal service, including recurring removal from\u00a0175+ data brokers<\/strong>.\u00a0 You can add up to 3 emails, 3 home addresses and 3 phone numbers<\/strong> (U.S. citizens only) and have them removed from data-broker databases.\u00a0 I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It\u2019s an excellent service, and I highly recommend at least trying it out to see what it\u2019s all about.<\/p>\n Get Incogni here<\/a><\/p>\n Get Incogni for your family (up to 4 people) here<\/a><\/p>\n <\/p>\n 3) Place a fraud alert:<\/strong>\u00a0Contact one of the three major credit reporting agencies (Equifax, Experian, or TransUnion) and request a fraud alert to be placed on your credit file. This will make it more difficult for identity thieves to open new accounts in your name without verification.<\/p>\n <\/p>\n 4) Be cautious of phishing attempts:<\/strong>\u00a0Be vigilant about emails, phone calls, or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request.<\/p>\n The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams.<\/p>\n My top pick is\u00a0TotalAV<\/a>, and you can get a\u00a0limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.<\/a><\/p>\nWhat you need to know about the HealthEquity data breach<\/h2>\n
What is HealthEquity doing about the data breach?<\/h2>\n
8 measures to take to protect yourself from a data breach<\/h2>\n