HealthEquity reports email breach that compromised health information
ClickOnDetroit reports a press release from HealthEquity. From the notification/press release:
HealthEquity has notified individuals potentially impacted by a security incident. A single employee’s email account was accessed by an unauthorized individual that may have culminated in disclosure of protected health information. The incident occurred on April 11, 2018 and was discovered on April 13, 2018. As soon as HealthEquity discovered the incident, the unauthorized individual’s access to the mailbox was eliminated and an investigation was initiated to determine the nature and scope of the event.
HealthEquity engaged a prominent data security forensics firm and confirmed that only one email account belonging to a single HealthEquity employee was compromised as a result of human error. No other HealthEquity systems were impacted or affected. The email account contained protected health information including, for some individuals, one or more of the following: names, emails, HealthEquity member IDs, employer names, HealthEquity employer IDs, healthcare account type (e.g., FSA, DCRA, HCRA, or LPHCRA), deduction amounts and Social Security numbers for some Michigan-based employees. The two companies affected have been notified, and HealthEquity is working to resolve the matter.
Read the full press release on ClickOnDetroit.
So are they calling this “human error” because an employee clicked on a phishing email?