2024-07-02 HEALTHEQUITY, INC. Cybersecurity Incident

Page last updated on July 2, 2024

HEALTHEQUITY, INC. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2024-07-02 16:30:32 EDT.

Company Summary

HealthEquity connects health and wealth by administering Health Savings Accounts (HSAs) and other consumer-directed benefits.

Incident Details

Material: Unknown
Is Breach: TRUE
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date: 2024-03-01
Disclosure Date: 2024-07-02
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)


8-K filed on 2024-07-02

HEALTHEQUITY, INC. filed an 8-K at 2024-07-02 16:30:32 EDT
Accession Number: 0001428336-24-000055

Item 8.01 Other Events.

Earlier this year, HealthEquity, Inc. (the “Company”) became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner (the “Partner”). The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue. The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems. The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm.

The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations.

The Company is in the process of notifying its partners and clients, as well as identifying and notifying individual members whose information may have been involved. The Company expects to offer complimentary credit monitoring and identity restoration services.

The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results. The Company is continuing to evaluate the impact of this incident, including remediation expenses and other potential liabilities. The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner.

Company Information

SIC DescriptionServices-Business Services, NEC
TickerHQY - Nasdaq
CategoryLarge accelerated filer
Fiscal Year EndJanuary 30