4.3 million people hit in massive healthcare data breach with full names, addresses and SSNs exposed online — what to do now

An open lock depicting a data breach
(Image credit: Shutterstock)

If you have a health savings account (HSA) to pay for medical expenses, your personal information may have been exposed online in a massive data breach which affects 4.3 million people in the U.S.

As reported by BleepingComputer, the HSA provider HealthEquity has disclosed that it suffered a data breach in which the personal information of millions of Americans was stolen by hackers.

According to a Form 8-K filing submitted to the SEC at the beginning of July, the hackers gained access to this sensitive health data after using a partner’s compromised credentials. While an investigation revealed that the breach occurred back in March of this year, HealthEquity verified that this was the case at the end of June following an internal investigation.

For those with an HSA, FSA, HRA or even a 401K from HealthEquity, here’s everything you need to know about this latest data breach along with what you can do next if your personal information was compromised.

Breached data repository

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

Impacted individuals will be notified by HealthEquity at the beginning of August to let them know about this data breach. However, a data breach notification shared with the Office of the Maine Attorney General, has all the details on exactly what personal information was obtained by the hackers behind this breach.

In the notification, a law firm representing HealthEquity explains that full names, home addresses, telephone numbers, employer and employee IDs, Social Security numbers, general dependent information and partial payment card information were all exposed after an unstructured data repository was accessed using stolen credentials.

While 4.3 million people are affected by this breach, the exposed data varies per individual. So while one person’s name and address may have been stolen, their Social Security number might not have been.

Fortunately, the data repository in question has now been secured. Likewise, HealthEquity also implemented a global password reset for the third-party vendor whose account was breached and then used to access patients’ personal information.

How to see if you're affected and what to do next

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

If you have an HSA or another account with HealthEquity and your personal data was compromised as a result of this breach, you will most likely be notified through the mail. Like the data breach notification linked above, this letter will explain what happened, how the company dealt with the situation and what kind of assistance it’s offering for impacted individuals. 

While some companies don’t offer free access to the best identity theft protection services following a data breach, HealthEquity will. Impacted individuals will get free credit monitoring and identity theft protection through Equifax for the next two years. However, you will have to enroll in the service using the code provided in the data breach notification letter.

Besides enrolling, you also want to keep a close eye on your bank statements and other financial accounts to look for signs of fraud. At the same time, hackers may try to use this stolen data to launch targeted phishing attacks against impacted individuals, so you also need to be careful when checking your inbox as well as your text messages.

No hackers have come forward to claim responsibility for this breach yet and none of the stolen data has been leaked online but we’ll update this story accordingly should that turn out to be the case.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.