Skip to main content

HealthEquity Data Breach Investigation

Written by Joseph Lyon on . Posted in Data Breach.

The Lyon Firm is investigating a data breach at a third-party vendor contracted by Health Equity, Inc. The company will begin sending out data breach notification letters to all individuals with links to WageWorks and Further, and any others who may have had their personal data compromised. Contact our class action data privacy lawyers to review your claims if you believe your information may have been stolen and leaked in the incident.

What Happened at HealthEquity?

Further Operations and WageWorks, and their parent company, HealthEquity, announced a data breach last month, but considerably underestimated the number of individuals impacted. The Further data breach, they said, may have involved sensitive personal identifiable information and protected health information belonging to over 75,000 individuals.

According to more recent reports, published by Attorney Generals in Maine and California, as many as 4.3 million individuals may be impacted by the Health Equity data security incident.

On March 25, 2024, HealthEquity became aware of a “system anomaly,” requiring a technical investigation and data forensics until June 10, 2024. The company concluded on June 26 that they experienced unauthorized access to protected health information and personally identifiable information stored on their systems.

What information was involved in the HealthEquity Data Breach?

The compromised data involved sign-up information for accounts and benefits administered by HealthEquity. The data may include the following:

  • First name
  • Last name
  • Address
  • Telephone number
  • Employee ID
  • Employer
  • Social security number
  • Health card number
  • Health plan member number
  • Dependent information
  • HealthEquity benefit type
  • Diagnoses
  • Prescription details
  • Payment card information

When the company detected the unauthorized activity, they engaged third-party experts to determine the nature of the incident. They determined that a vendor’s (Further) user accounts — which had access to Health Equity systems — were compromised, and that because of this, an unauthorized party was able to access a limited amount of data stored in an unstructured data repository outside our core systems.

According to an SEC filing, the company disabled all potentially compromised vendor accounts and terminated all active sessions, which blocked all IP addresses associated with threat actor activity. Hackers ostensibly leveraged the hijacked Further account to gain unauthorized access to HealthEquity’s systems and, exfiltrate sensitive health data.

More About Health Equity & Further

The company provides health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans. Further is owned by Health Equity, and is a health spending solutions provider. WageWorks, based in California, is a company focused on administering CDBs, pre-tax spending accounts, such as Health Savings Accounts (HSAs), health and dependent care Flexible Spending Accounts (FSAs), Health Reimbursement Arrangements (HRAs), Commuter Benefit Services, wellness programs, COBRA, and other employee benefits.

Our attorneys believe that any financial or healthcare entity that collects and stores personal data has a duty to properly protect it with reasonably secure IT infrastructure. If a data breach occurs due to an improperly maintained data storage system, a company may be liable for any damages that result.

Contact our data breach lawyers to discuss taking legal action, and to learn more about how to protect yourself following the HealthEquity – WageWorks – Further data theft incident. We represent clients in all fifty states, and our firm is currently involved in numerous class action data privacy lawsuits. Free consultations and case reviews.