HealthEquity, a prominent health savings account administrator, has disclosed a data breach it says impacted 4.3 million people.
The company filed a notice with Maine's attorney general and revealed that it received an alert March 25 about a potential security incident and then proceeded to conduct an investigation. It analyzed data until June 10 before confirming that a threat actor had accessed a data repository.
In a letter to impacted customers, which will go out on Aug. 9, the company says that the accessed repository lies "outside our core data systems." The breach occurred on March 9, according to the notice.
"The affected data primarily consisted of sign-up information for accounts and benefits we administer," HealthEquity wrote in the letter.
HealthEquity said the data stolen included member names, addresses, telephone numbers, employee IDs, employer names, Social Security numbers, dependent information and payment card information, but not numbers.
The company said it completed its review of which data were specifically stolen and who was effected on June 26.
"As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor," according to the letter. "Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture."
HealthEquity is also making two years of free credit and identity monitoring available for affected people through Experian.
Beyond HSAs, the company administers flexible spending accounts, health reimbursement arrangements, COBRA and other benefits. It serves more than 14 million members across more than 120,000 organizations, according to its website.