Yet another top US healthcare service provider has been hacked, with patient data exposed

Best practice management software
Image Credit: Pixabay (Image credit: Image Credit: Pixabay)

Following the likes of ChangeHealthcare, Kaiser, Cencora, and several others during the past few months, another major US healthcare service has reported suffering a cyberattack that resulted in the theft of sensitive patient data. 

This latest victim is HealthEquity, which was on the receiving end of an apparent supply chain attack. In an 8-K form, filed with the US Securities and Exchange Commission (SEC) earlier this week, HealthEquity reported how earlier this year, as it was routinely monitoring its systems, it discovered “anomalous behavior by a personal use device belonging to a business partner.”

As it turned out, a partner of the company had its personal device compromised, and used by the threat actors to access HealthEquity systems and thus, sensitive patient data. 

Missing details

“The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members,” the form reads. After accessing the information, the hackers extracted it to their own servers, HealthEquity confirmed.

The company has decided not to share details about the breach at this time, so we don’t know how many people were affected, who the threat actors were, if they demanded a payment in exchange for the data, or what kind of information they lost.

The company did tell TechCrunch that “some of HealthEquity’s SharePoint data” was taken in the breach. 

Microsoft SharePoint is a web-based collaboration and document management platform, designed to help organizations store, manage, and share information securely within a centralized framework. 

Following the breach, HealthEquity notified its partners and clients, as well as individual members whose data may have been involved. It is also offering credit monitoring and identity theft protection services. 

Since this was not a ransomware attack, and did not happen on the company’s infrastructure, HealthEquity does not expect the incident to have a material impact on its business, it concluded.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.