More than 4.3 million Americans have had their personal data stolen by hackers after HSA provider HealthEquity suffered a data breach. The stolen information consisted of sign-up information for the accounts and benefits it manages.

The exposed data may include details in one or more of the following categories: first and last names, addresses, telephone numbers, employee IDs, employers, Social Security numbers, health card numbers, health plan member numbers, dependent contact information, HealthEquity benefit types, diagnoses, prescription details, payment card information (excluding payment card numbers), and/or HealthEquity account types.

It’s important to note that not every data category was compromised for every member.

In a Form 8-K filing with the SEC at the start of July, HealthEquity disclosed that hackers accessed sensitive health data using compromised credentials from one of its partners. The company first detected the system anomaly on March 25, with the investigation continuing until June 10. HealthEquity only confirmed the extent of the intrusion at the end of June.

“We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems. On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved.”

HealthEquity has since secured the compromised database and disabled all potentially affected vendor accounts, blocking all IP addresses associated with the hack, and implementing a global password reset for the impacted partner. The company is now offering those affected by the breach 24 months of free identity monitoring and restoration services.

HealthEquity says it’s still in the process of notifying customers that have been affected by the breach. It explained that all Impacted individuals will be notified by mail or email, depending on their account communication preferences. It’s expected that everyone impacted will be officially notified by Aug. 9.