An email hack security breach on their mail has again potentially exposed personal data of HealthEquity customers. This is not the first time however, in June, an unauthorized user hacked into an employee’s email account and breached the data of 16,000 customers according to HealthEquity Email Hack. The most recent breach is similar according to this site notification to customers:
On October 5, 2018, HealthEquity’s information security team identified unauthorized logins to two HealthEquity employees’ email accounts. The unauthorized access occurred, in the case of one account, on October 5, and in the case of the other, on different occasions between September 4, 2018 and October 3, 2018. HealthEquity immediately implemented security measures to prevent further access to the accounts, and began analyzing all information contained in these accounts to identify any sensitive personal information. On October 20, 2018, HealthEquity began receiving the results of the review of emails in the two affected mailboxes. The analysis confirmed that the accounts contained information including participants’ Social Security numbers and may have included other information such as names, HealthEquity member ID, account type (HSA, HRA, FSA, LPFSA, DCRA), contribution amount, and/or employer’s name.
I have a copy of a December 3rd 2018 dated letter sent to an acquaintance and customer based in Florida. The fact that the exposed PHI/PII data is being transmitted and/or somehow linked in the company’s email is alarming. Email ? Really ?!?!
Another example of bad IT security, why companies should ~not~ use email for transmission of important info or link to important info. To have this happen multiple times however is inexcusable – can someone say “class action lawsuit”.
I’ll say this over and over – one of the biggest issues that’s already biting us in the arse, is going to bloom in to a massive issue and needs to be tackled is identity theft and data security. People’s social security number (SSN), the number tied in to everything about each one of us gets compromised and you’re told, “sorry, here’s a few years of credit monitoring.” There is potentially a lifelong threat of identity theft once compromised. Heck, banks often already have your debit cards froze before you’re even aware of suspicious activity, yet with our SSN the best we can do is hope, pray and/or pay for an extra monitoring services – while corporations are seemingly fast blasting your digits via email hosted on outside “cloud” providers ?
Come on ! Dear folks in charge, there are many, many smart folks around, we can do better. I have a few ideas myself, hit me up, you know how to reach me. 🙂
$ host healthequity.com healthequity.com mail is handled by 0 healthequity-com.mail.protection.outlook.com. smtp:184.108.40.206 Connecting to 220.127.116.11 220 CO1NAM03FT035.mail.protection.outlook.com Microsoft ESMTP MAIL Service NetRange: 18.104.22.168 - 22.214.171.124 CIDR: 126.96.36.199/13 NetName: MSFT NetHandle: NET-104-40-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Microsoft Corporation (MSFT)
The good news is the Director filed on December 10th to sell a good chunk of his stock and pocketed a lot of cash to the tune of approx $150k.