Incident Of The Week: HealthEquity Experiences Second Phishing Attack This Year

Multifactor Authentication Bypassed in Attack



Kayla Matthews
11/30/2018

HealthEquity is one of the latest companies to experience a phishing attack in 2018, and it's the second successful attack this year. HealthEquity is a company that helps people balance their health care expenditures with their retirement goals by taking advantage of tax advantages. The company possesses millions of health savings accounts (HSAs) for its customers, meaning it has a sufficient amount of data to make cybercriminals interested.

What Happened During This Most Recent Attack?

In late November 2018, news broke about a HealthEquity phishing scam that successfully targeted the email accounts of two employees of the company. An investigation about the attacks concluded that an attack on one account happened on October 5, but the second account was breached multiple times between September 4 and October 3.

The forensics team involved in gathering details about the phishing attack noted that hackers took advantage of a problem associated with incorrectly configured email accounts. They stated that the error allowed the cybercriminals to bypass both multifactor authentication and device authentication safeguards.

Although hackers compromised only those two email inboxes and no other parts of the HealthEquity system, up to 190,000 customers may have been affected. Moreover, the information made available during the attack included protected health information (PHI), social security numbers, customer names, employer names, health plan names and more. How Did HealthEquity Respond?

The officials who looked into the attack clarified that they acted promptly once coming across the problem by resetting the accounts' passwords and fixing the issue that allowed the hack. Company representatives also recruited the services of a forensics firm to confirm the extent of the attack.

Notifying customers about the issue involved sending four different breach notification letters, each one discussing different breached information. Plus, people affected by the phishing attacks can opt for five years of free credit monitoring and identity theft safeguards. HealthEquity is offering a $1 million insurance reimbursement policy as well.

Another report about the matter, which mentioned that 165,800 individuals were notified regarding the November breach, reveals that HealthEquity has also taken actions to prevent future attacks. They are taking new technical security measures, retraining and reeducating the HealthEquity team, and actively monitoring of accounts for suspicious activity.

Employees of the organization were already receiving periodic security-related training, and HealthEquity monitored its network for suspicious activity.

The Scoop on an Earlier Attack

In June 2018, HealthEquity was targeted by a phishing attempt that had many similarities with this more recent one. In that case, only one employee's inbox was breached, but the attack affected approximately 23,000 customers. All relevant accounts were associated with a pair of Michigan-based companies working with HealthEquity.

Much of the data compromised was like that of the November attack and included health plan information, social security numbers and names. During the earlier instance, HealthEquity also hired a forensics company to verify the extent of the attack and confirmed that it extended only to that single email account.

The company offered five years of credit monitoring and identity theft to the affected companies and again sent out breach notification letters to the customers who had information stolen. Beyond the official notice, the company provided over a dozen pages worth of supplementary information, including how people can be mindful of identity theft attempts.

More Attention Is Needed

More robust network monitoring is certainly a step in the right direction if HealthEquity wants to prevent further attacks. Considering that the second known account compromised during the November attack was potentially vulnerable to cybercriminals for nearly a month and was infiltrated multiple times, room for improvement exists.

The recent ransomware attacks in healthcare prove that more action is needed to protect the data of healthcare patients and staff. The was a reported attack against May Eye Care Center and Associates with 30,000 patient breaches in July, while 16,300 people were affected by a website breach involving UK eye care company Vision Direct. Although some have been low-level breaches, the recurring incidents appear to call for stronger security systems within healthcare facilities. With updated protocols and safety measurements, corporations such as these may be able to avoid additional attacks on patient information.

RECOMMENDED