Required substitute notice
Member hotline phone number: (888) 244-3079
August 8, 2024
HealthEquity is notifying HAP members of an incident that may have exposed personal and protected information of some members.
Re: Notice of data breach
HAP takes the responsibility to protect the information of its plan participants very seriously. A security incident affecting certain of HAP’s current or former participants occurred at a vendor, as explained more fully below. Please be assured this incident did not involve HAP’s network or systems in any way. Because HAP has a direct relationship with you, however, HAP is posting this notice.
HealthEquity and Further by HealthEquity (Health Equity) are the custodians of HSAs and a directed third-party administrator of FSA/HRA, Commuter, COBRA, and Lifestyle plan.
After receiving an alert, on March 25, 2024, HealthEquity became aware of a systems anomaly requiring extensive technical investigation and ultimately resulting in data forensics until June 10, 2024. Through this work, they discovered some unauthorized access to or disclosure of protected health information and/or personally identifiable information.
Upon detection, HealthEquity launched an investigation and engaged third-party experts to determine the nature and scope of the incident. They took immediate actions including disabling all potentially compromised vendor accounts; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendors. Additionally, they enhanced security and monitoring efforts, internal controls, and security posture.
The affected data was sign-up information for accounts and benefits we administer. The data may include information in one or more of the following categories: first name, last name, address, telephone number, employee ID, employer, social security number, health card number, health plan member number, dependent information (for general contact information only), HealthEquity benefit type, diagnoses, prescription details, and payment card information (but not payment card number), and / or HealthEquity account type. Not all data categories were affected for every member.
HealthEquity is not aware of any actual or attempted misuse of information because of this incident to date.
Because of the impact this might have on you, HealthEquity has arranged credit identity monitoring, insurance, and restoration services for a period of two years, as required by state statutes, free of charge, through Equifax. Impacted individuals will be provided with a deadline by which they need to activate these services, and instructions on how to activate your free monitoring subscription are included in the Reference Guide included in your mailing.
It is always good practice to remain vigilant and regularly review financial statements, credit reports, and Explanation of Benefits (EOBs) for any unauthorized activity. This is best practice for all individuals. If you identify suspicious activity, you should contact the company that maintains the account on your behalf.
If you have any questions or would like additional information, please call HealthEquity toll-free (888) 244-3079. This service center is open from 9:00 a.m. – 9:00 p.m. EST, Monday through Friday, excluding some U.S. holidays.