Phishing Attack Leads to HealthEquity Breach, Compromises 23,000 Subscribers’ PHI

Following Health Insurance Portability and Accountability Act (HIPAA) breach notification guidelines, non-bank health savings trustee company HealthEquity announced that a phishing attack led to a data breach that exposed the personal healthcare information (PHI) of an estimated 23,000 subscribers. While no other company systems were affected nor further misuse of information observed, the email account contained a spreadsheet with names, email addresses, employer names, HealthEquity member IDs, healthcare account types, deduction amounts, and Social Security numbers for some Michigan-based employees.

[Read: What HIPAA and other compliance teaches us about the reality of GDPR]

The security breach occurred on April 11, 2018, and the unauthorized access to the employee’s mailbox was discovered and blocked two days later. HealthEquity hired a third party forensics agency to investigate the depth of the breach and found that only one account was compromised and used to send phishing emails, but have yet to confirm if the spreadsheet containing the sensitive information was downloaded. Two unidentified companies who were confirmed affected by the breach have been notified, while individual customers are being informed and are urged to subscribe to an identity protection sponsored by the company. HealthEquity also assured subscribers that they will enhance internal email systems and security training for their employees. The Utah-based company serves as custodian to over 3.4 million health savings accounts, and handles flexible spending accounts, 401(k) and health reimbursement engagements for approximately 40,000 U.S.-based companies.

[Securing Connected Hospitals: A research on exposed medical systems and supply chain risks]

Malicious actors will continue to target the healthcare industry by exploiting system vulnerabilities and security abuses for profit. Make sure that valuable personal information is secured by following these steps:

For enterprises:

  • Ensure multi-layered protection systems from the gateway to the endpoint are in place for intrusion detection and prevention. These systems also allow for easier monitoring of incoming and outgoing network traffic.
  • Practice network segmentation and data categorization to limit the systems affected in the event of a security breach, and for easier control on the amount of sensitive information handled by employees.
  • Regularly download software and firmware updates from legitimate vendors, and reduce applications and open channels for possible infection.
  • Train employees to be aware of socially engineered emails and calls, and establish a culture of vigilance and security against malicious actors.

For users:

  • Be aware of the social engineering tactics used by threat actors trying to get sensitive information that they can use to access or open accounts.
  • Check the specific URLs sent via email from companies or organizations posing as legitimate entities, especially those requesting for sensitive information. It would be safer to directly type the company's website, scan attachments or links embedded, or to confirm the requests from the company’s publicly posted contact information.

Trend Micro™ InterScan™ Messaging Security stops email threats with global threat intelligence, protects your data with data loss prevention and encryption, and identifies targeted email attacks, ransomware, and APTs as part of the Trend Micro Network Defense Solution. Its enhanced web reputation blocks emails with malicious URLs in the message body or in attachments, and it is powered by the Trend Micro™ Smart Protection Network™.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.