Frequently Asked Questions
On October 5, 2018, HealthEquity’s information security team identified unauthorized logins to two HealthEquity employees’ email accounts. The unauthorized access occurred, in the case of one account, on October 5, and in the case of the other, on different occasions between September 4, 2018 and October 3, 2018. HealthEquity immediately implemented security measures to prevent further access to the accounts, and began analyzing all information contained in these accounts to identify any sensitive personal information.
On October 20, 2018, HealthEquity began receiving the results of the review of emails in the two affected mailboxes. The analysis confirmed that the accounts contained information including participants’ Social Security numbers and may have included other information such as names, HealthEquity member ID, account type (HSA, HRA, FSA, LPFSA, DCRA), contribution amount, and/or employer’s name.
What is HealthEquity doing in response to this?
Following the discovery, HealthEquity took several steps to address the incident including:
- Immediately securing the accessed email accounts
- Alerting law enforcement
- Completing a comprehensive third-party review of accessed accounts for personal information
- Verifying no other HealthEquity email accounts or systems were accessed
- Conducting a third-party audit of HealthEquity’s systems to detect and prevent unauthorized logins
What is HealthEquity offering to do to help me?
We are offering free, five year identity theft protection services through ID Experts®, a data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: Credit Monitoring, Cyberscan Dark Web Monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed identity theft recovery services.
Has any identity theft or fraud been reported as a result of this?
No, we have not received any reports of identity theft or fraud.
Who is HealthEquity? Why do they have my information?
HealthEquity is one of the nation’s largest providers of health savings accounts (HSAs) and reimbursement arrangement services (flexible spending accounts, health reimbursement arrangements, limited purpose flex spending accounts, and dependent care reimbursement accounts, etc.). Your information was provided to HealthEquity in connection with the services we provide.
When did HealthEquity discover we were affected?
HealthEquity received the initial analysis of the mailbox review on October 20, 2018. HealthEquity then performed data analysis to confirm which individuals were contained in the files.
What information was accessed?
Files containing information for some members, such as Social Security numbers, were accessible in the email account(s).
Was my HealthEquity username and password compromised?
No. Your HealthEquity member portal information remains secure.
Did they access my debit card information?
No. We do not keep your debit card information and the HealthEquity portal was not compromised.
What is the last day to enroll in the identity theft and credit monitoring services?
March 31, 2019
What can I do to better protect myself against identity theft and fraud?
While we are unaware of any identify theft or fraud resulting from this event, we encourage you to monitor your identity, financial accounts, and credit reports. General steps you can take to protect against identity theft and fraud include:
- Enroll to receive the monitoring services we are offering you. Instructions on how to do so are contained in the letter we mailed to you.
- Review your account statements regularly for suspicious activity, and report all suspicious or fraudulent activity to your provider or financial institution.
- Review your credit report for suspicious or fraudulent activity. You are entitled to one free credit report a year, and can request this report from either www.annualcreditreport.com, which can be reached at 1-877-322-8228, or from the consumer reporting agencies. Experian can be reached at: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. Equifax can be reached at: PO Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com. TransUnion can be reached at: PO Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com.
- Place a fraud alert on your credit reports, which will tell creditors to take extra steps to verify your identity prior to granting credit in your name. To do so, reach out to one of the consumer reporting agencies, and they will communicate amongst each other to notify of the fraud alert once it is placed. Experian can be reached at: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. Equifax can be reached at: PO Box 105069, Atlanta, GA 30348, 800-525¬6285, www.equifax.com. TransUnion can be reached at: PO Box 2000, Chester, PA 19016, 800¬680-7289, www.transunion.com.
- Place a security freeze on your credit reports, which will prohibit the release of information relating to you by a consumer reporting agency without your written authorization. To place a security freeze, you must contact each of the consumer reporting agencies directly, and the contact information to do so is different than the contact information to place a fraud alert. Experian can be reached at: PO Box 9554, Allen, TX 75013, 888-397-3742, www.experian.com/freeze/center.html. Equifax can be reached at: PO Box 105788, Atlanta, GA 30348, 800-685-1111 (NY residents: 800-349-9960, www.freeze.equifax.com. TransUnion Fraud Victim Assistance can be reached at PO Box 2000, Chester, PA 19016, 888-909-8872, www.transunion.com/credit-freeze/place-credit-freeze.
- Contact your state Attorney General or the Federal Trade Commission for additional information on what you can do to protect against identity theft. The FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.ftc.gov/idtheft/; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.
- Report incidents of fraud and identity theft to law enforcement.
- Monitor for misuse of Social Security Benefits. You can create an account at https://www.socialsecurity.gov/myaccount/ to monitor for any actual or attempted misuse. If they see an error or attempted misuse of social security benefits, you can go to your local Social Security Office for assistance. Local offices can be found using the following office locator https://secure.ssa.gov/ICON/main.jsp.
Should I check my credit report?
We encourage you to always monitor your credit report for suspicious activity. Every U.S. consumer over the age of eighteen with credit issued in their name can receive a free copy of their credit report on an annual basis from the consumer reporting agencies. You can contact the agencies directly or contact the Annual Credit Report Service by calling, toll-free, 877-322-8228 or visiting www.annualcreditreport.com. If you’d like to contact the agencies directly, you may reach out to Experian, Equifax, or TransUnion. Equifax’s contact information is: PO Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com. Experian’s contact information is: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. TransUnion’s contact information is: PO Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com.
What is the purpose of a fraud alert?
A fraud alert tells creditors to contact you before they open a new credit account under your Social Security number.
What is the purpose of a credit freeze or security freeze?
A security freeze or credit freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
To place a security freeze on your credit report, you can make the request online to each of the major consumer reporting agencies: Equifax (www.equifax.com), Experian (www.experian.com), and TransUnion (www.transunion.com) or by sending a written request by regular, certified or overnight mail to the addresses below:
Equifax Security Freeze Experian Security Freeze TransUnion
P.O. Box 105788 P.O. Box 9554 P.O. Box 2000
Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19016
1-800-685-1111 1-888-397-3742 1-888-909-8872
www.freeze.equifax.com www.experian.com/freeze www.transunion.com/credit-freeze
In order to request a security freeze, you may need to provide the following information and/or answer questions that are unique to your credit history:
1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
8. If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit file report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both, that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze, either permanently or in order to allow a specific entity or individual access to your credit report, you can do so online or by calling or sending a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. To temporarily lift a credit security freeze, you may have to also provide the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.
If I sign up for the free identity theft and credit monitoring services, do I forfeit my right to take legal action against HealthEquity?
No, signing up for free identity theft and credit monitoring services does not require you to forfeit any rights you may have regarding HealthEquity.