The personal and medical information of millions of Americans has been stolen by hackers in a cyberattack on HealthEquity, a major health savings account administrator.
Though the data breach was made in March, the company did not confirm it occurred until June 26, the Daily Mail reported.
The names, addresses, health history, and social security numbers of a whopping 4.3 million account holders were obtained by the hackers, who have not been identified.
A third-party vendor — which has remained unnamed — was the target of the cyberattack because it reportedly had access to HealthEquity’s customer profile information stored in Microsoft Sharepoint.
The attack could lead to several other crimes, such as identity theft and fraud, but HealthEquity has said it is not aware of any attempted misuse of the stolen data so far.
“We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor,” a company spokesperson told the Daily Mail,
“This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for a response.”
The company has also reportedly disabled the 4.3 million impacted accounts and blocked the IP addresses associated with the cyber thieves.
Customers who have been affected should be receiving notifications from HealthEquity if they were a part of the breach, though the investigation into the attack is still ongoing.
The HealthEquity spokesperson added that the company has “formally filed a notification with the Securities and Exchange Commission, which wasn’t required, but represents our concern and commitment to transparent communication.”
“We regret the inconvenience caused by the incident and are working to minimize disruption while also taking steps to help prevent this from happening in the future,” they added.
HealthEquity also told TechCrunch the data breach was an “isolated incident” unrelated to a recent hack of cloud data giant Snowflake, which led to “nearly all” AT&T customers having their phone records stolen.
