On November 17, 2018, HealthEquity, Inc. submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). This is their second reported HIPAA Email Breach this year alone.
SEE RELATED: HealthEquity, Inc. Suffers HIPAA Email Breach
Based in Draper, Utah, HealthEquity’s second email breach in 2018 affected 165,800 individuals’ protected health information.
HealthEquity is classified as a Business Associate.
According to a recent report on DataBreaches.net:
HealthEquity is committed to protecting the privacy of the individuals we serve. We sincerely regret this recent attack. While the results of our forensic investigation have found no evidence of actual or attempted misuse of the information, we are offering five years of free identity theft and credit monitoring services to all affected individuals. We are also implementing additional security protocols to help prevent this from occurring in the future. While the attack was limited to access through two Microsoft Outlook 365 email accounts and none of HealthEquity’s systems were accessed or impacted, we continue to be vigilant and proactive in protecting the personal information of the individuals we serve.
Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.
HealthEquity Email Platform
We did an MX record lookup for HealthEquity and determined they are still using Microsoft 365 as their email platform.
It should be noted that Microsoft 365 was their underlying email provider for both of their HIPAA email breaches this year.
We have seen an alarming number of Microsoft 365 customers reporting HIPAA Email Breaches in 2018.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.