On July 2, 2024, HealthEquity, Inc. (HQY) filed a report to the U.S. Securities and Exchange Commission in Washington D.C. after discovering an unusual activity on a personal device used by a business partner, ‘Partner’, during routine monitoring. Immediate action was taken to contain and address the issue, leading to an investigation that revealed unauthorized access to the user account by a third party. This breach resulted in the exposure of personally identifiable information, including Protected Health Information (PHI) of some members. The investigation also found that some of the accessed information was later transferred off from the ‘Partner’s systems.

HealthEquity, Inc., was incorporated in 2002 and based in Draper, Utah. It is an American company that specializes in financial technology and business services. The IRS recognized it as a non-bank health savings trustee. This is a unique designation that allows it to be the custodian of Health Savings Accounts (HSAs) regardless of the financial institution where the funds are deposited. HealthEquity provides a comprehensive solution for benefits, including HSAs, FSAs, HRAs, retirement, COBRA, and commuter benefits. Its mission is to save and improve lives by empowering healthcare consumers.

The organization has implemented measures to enhance its security infrastructure, particularly concerning the breached ‘Partner’ account and the suggested protocols from its incident response firm. Furthermore, the investigation found no evidence of malicious code on the company’s systems, and no disruptions were experienced with the services and business operations. Additionally, the company is also informing its partners and clients, and identifying and informing individual members who may have been affected by the situation.