The Non-Financial Ledger: What This Actually Cost Real People

Jennifer Keane trusted HealthEquity with her most sensitive information for over twelve years. She was not a new customer who failed to do her research. She was a long-term client who paid for a service, handed over her Social Security number, her health benefit account details, the names and contact information of her dependents, and her payment card data, because HealthEquity told her it would protect all of it. The company’s own Privacy Notice looked her in the eye and said: “Your privacy is important to us.”

When the breach became public, Keane did what millions of Americans are quietly being forced to do after corporate negligence: she sat down and spent hours of her own time trying to undo someone else’s failure. She researched the breach. She researched how to protect herself from breaches. She reviewed her financial accounts looking for signs that someone had already started using her data. Then she made a plan to spend several hours every single month going forward doing the same thing, because she now lives with the knowledge that her information is out there, in the hands of criminals, and it will not stop being out there in her lifetime.

That is the part the press releases do not mention. There is no one-time fix. You cannot un-expose a Social Security number. You cannot call in a credit freeze, wait two weeks, and then go back to normal. The lawsuit states it with clinical precision: “the present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.” What that sentence means in human terms is that 4.3 million people now carry a permanent, unpaid, involuntary second job. Monitoring credit reports. Checking bank statements. Filing fraud alerts. Paying for credit monitoring services that should never have been necessary. Calling their banks. Arguing with credit bureaus. Explaining to their children, whose names and contact information were also exposed as dependents on health accounts, that their information is out there too.

The lawsuit documents the emotional reality directly. Keane suffered anxiety, concern, and unease about unauthorized parties viewing and potentially using her personal and health information. These are not dramatic injuries in the legal sense. They are the quiet, grinding, daily dread of not knowing who has your data or what they plan to do with it. Research cited in the complaint from the ID Theft Resource Center found that victims of identity theft showed markedly increased fear for their personal financial security, and that this fear intensifies over time as people come to understand that the consequences can stretch on for years.

The stolen data in this breach was not low-stakes. This was not a loyalty rewards card database. HealthEquity is a Health Savings Account administrator. The data it held included the kinds of information criminals use to commit immigration fraud, file fraudulent tax returns, open new loans, obtain government benefits, and access medical services in someone else’s name. Social Security numbers. Employee IDs. Payment card information. Names and contact details of dependents, meaning children and other family members were swept into this exposure through no action or choice of their own. When that data leaves the hands of the company you trusted and enters a criminal marketplace, the person bearing the entire cost of that failure is you, not the company that failed to protect it.

HealthEquity generated revenue from every one of those 4.3 million customers. It collected fees for managing health savings accounts. It stored the most sensitive information those customers possessed. And then, according to this lawsuit, it ran systems that were not adequately designed, implemented, maintained, monitored, or tested to keep that information safe. It knew its obligations. It wrote a Privacy Notice pledging to meet them. And it failed. The invoice for that failure was not sent to HealthEquity’s shareholders. It was sent to 4.3 million people who will spend the rest of their lives paying it.

Legal Receipts: What HealthEquity Actually Admitted

The following quotes come directly from the class action complaint filed August 6, 2024 in the U.S. District Court for the District of Utah (Case No. 2:24-cv-00561). They reflect allegations drawn from HealthEquity’s own public filings and disclosures to regulators.

“On the Privacy Notice page of its website, HealthEquity states: ‘Your privacy is important to us.’ HealthEquity further claims to ‘honor all individual privacy rights defined by law, as set forth herein and in governing regulations.'”

— Complaint ¶21, citing HealthEquity General Privacy Notice

“HealthEquity has admitted that hackers gained access to protected health information and may have obtained the following: sign-up information for accounts and benefits including names, addresses, telephone numbers, employee IDs, employers, social security numbers, general contact information of dependents, and payment card information.”

— Complaint ¶6, citing HealthEquity’s Individual Notification Letter Template

“HealthEquity became aware there was a systems anomaly on March 25, 2024 and finished its data forensics and technical investigation in June 10, 2024.”

— Complaint ¶23, citing HealthEquity’s Notice of Data Breach filing to Maine AG

“Despite knowing its networks, systems, protocols, policies, procedures and practices, as described above, were not adequately designed, implemented, maintained, monitored and tested to ensure that Plaintiff’s and Class Members’ PII and PHI were secured from unauthorized access, HealthEquity ignored the inadequacies and was oblivious to the risk of unauthorized access it had created.”

— Complaint ¶71 (Gross Negligence Count)

“HealthEquity accepted the responsibility of protecting the data, while keeping the inadequate state of its security controls secret from the public.”

— Complaint ¶137 (Washington Consumer Protection Act Count)

Societal Impact Mapping

Public Health

A Health Savings Account administrator holds a uniquely dangerous combination of data: financial records and health benefit records intertwined. When that data is exposed, the harms extend well beyond bank account fraud into healthcare access and medical identity theft.

• The stolen data included sign-up information for health benefit accounts. This means criminals can potentially use victims’ information to obtain medical services, prescriptions, or insurance claims in their names, a form of medical identity theft that can corrupt a victim’s medical records and leave them responsible for debts or with false diagnoses embedded in their health file.
• Over 75% of identity theft victims reported emotional distress as a documented consequence, according to research cited in the complaint. For the 4.3 million people in this breach, that translates to a mass public health event measured not in hospital admissions but in anxiety, fear, and loss of financial security.
• Identity theft victims face “marked increased fear for personal financial security,” per research from the ID Theft Resource Center cited in the complaint, with this fear deepening over time as victims come to understand the long-term nature of the exposure. This chronic psychological burden is a real and documented public health cost.
• HealthEquity stored protected health information (PHI) alongside personally identifiable information (PII). The simultaneous exposure of both categories means victims face compounded risks: financial identity theft and health record contamination occurring in parallel, from a single breach event.

Economic Inequality

The economic burden created by this breach was not distributed evenly. It was placed entirely on the 4.3 million individuals whose data was stolen, while HealthEquity continued to operate its business.

• Victims must now personally purchase credit monitoring services, credit freezes, and credit reports to protect themselves from a threat they did not create. These are ongoing, indefinite out-of-pocket costs. The lawsuit states victims “have incurred, and will continue to incur on an indefinite basis” these expenses, meaning this is a permanent tax on victims, not a one-time event.
• Consumers lost more than $56 billion to identity theft and fraud in 2020 alone, per data cited in the complaint. At a 65% victimization rate among breach victims, a 4.3 million-person breach statistically puts over 2.7 million people on a collision course with direct financial fraud.
• The complaint documents that plaintiff Jennifer Keane immediately spent several hours of her own time researching the breach and planning protective measures, and now plans to spend several hours per month on ongoing monitoring. For hourly workers, caregivers, or anyone without flexible work arrangements, those hours represent real lost income and labor.
• Some class members may face decreased credit scores as a result of fraudulent activity they did not commit, which can affect their ability to rent housing, qualify for loans, or access other essential financial services. The damage to credit standing creates cascading inequality for people who were already using an HSA because they were managing healthcare costs carefully.
• The lawsuit argues that customers received “services that were of a diminished value” compared to what they paid for. This is an economic harm independent of identity theft: 4.3 million people paid for a secure service and received an insecure one. The difference in value represents a transfer of wealth from customers to a company that pocketed fees without delivering the promised security.
• Washington subclass members may seek treble damages under the state Consumer Protection Act, but class members in other states have no such multiplier available to them, illustrating how geography determines justice in corporate accountability cases. The financial harm is national; the legal remedies are fragmented.

The “Cost of a Life” Metric

What Now: The People Responsible and the Steps to Take

HealthEquity is a publicly traded Delaware corporation with its principal place of business in Draper, Utah. The following are the corporate roles responsible for the decisions and systems at the center of this lawsuit. Source material does not provide individual executive names, so titles are listed per verified public record context from the complaint.

• The registered corporate defendant is HealthEquity, Inc., a Delaware corporation headquartered in Draper, Utah. It operates as the industry’s largest HSA administrator.
• Leadership of its data security practices, its privacy compliance functions, and its breach notification decisions are the responsibility of whoever held the roles of Chief Information Security Officer, Chief Privacy Officer, and Chief Executive Officer at the time of the breach in March 2024.
• HealthEquity’s board of directors, as the governing body of the company, is responsible for ensuring that the company’s executives maintained adequate security infrastructure. The lawsuit’s gross negligence count alleges the company knew its systems were deficient and acted with reckless disregard for customer rights.

Regulatory Watchlist

These are the agencies with jurisdiction over what HealthEquity did. Contact them directly. File complaints. Make noise.

• Federal Trade Commission (FTC): The lawsuit specifically invokes the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts in commerce. The FTC has direct authority to investigate and sanction companies that fail to maintain adequate data security. File a complaint at reportfraud.ftc.gov.
• Maine Attorney General’s Office: Already on record in this case. HealthEquity filed its breach notification there. The Maine AG has one of the most active consumer data protection offices in the country. Breach filings are public record and searchable.
• Washington State Attorney General’s Office: The Washington Consumer Protection Act subclass claim in this lawsuit was filed under the AG’s jurisdiction. Washington has consistently led on consumer data protection enforcement. Contact the AG’s consumer protection division directly at atg.wa.gov.
• U.S. Department of Health and Human Services (HHS) Office for Civil Rights: Because HealthEquity held Protected Health Information (PHI), HIPAA’s Security Rule applies. HHS OCR investigates HIPAA violations. File a complaint at hhs.gov/ocr.
• Consumer Financial Protection Bureau (CFPB): HealthEquity is a financial services company holding payment card data and HSA account information. The CFPB has authority over financial data protection failures. File at consumerfinance.gov/complaint.
• Securities and Exchange Commission (SEC): HealthEquity is publicly traded. The SEC’s cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents. A breach affecting 4.3 million customers that took 139+ days to publicly disclose may warrant scrutiny of HealthEquity’s SEC filings from the breach period.

Direct Action: What You Can Do Right Now

• If you have or had a HealthEquity HSA: Assume your data was exposed. Place a free credit freeze with all three major bureaus (Equifax, Experian, TransUnion) immediately. A freeze is free, reversible, and the single most effective tool against new account fraud.
• Request your free annual credit reports from annualcreditreport.com. Review them for accounts, loans, or inquiries you did not initiate. Dispute anything unfamiliar in writing.
• Place a fraud alert with one credit bureau (it automatically notifies the others). This requires creditors to verify your identity before opening new accounts.
• File a complaint with the FTC at reportfraud.ftc.gov. Every complaint filed creates a documented record that regulators use to build enforcement cases. Yours matters.
• Contact the class action law firms directly if you believe you are a member of the affected class. The attorneys of record are Marshall Olson and Hull, PC (Salt Lake City), Milberg Coleman Bryson Phillips Grossman PLLC (Chicago), and Cotchett, Pitre and McCarthy, LLP (Seattle). Contact information is public in the case filing.
• Connect with local mutual aid networks and credit unions in your area. Credit unions are member-owned, not-for-profit, and subject to different regulatory frameworks than corporate HSA administrators. They are a structural alternative to giving your most sensitive data to companies like HealthEquity.
• Support data privacy legislation in your state. Contact your state representative and demand comprehensive consumer data protection law with private right of action, so that individual citizens can sue companies for data security failures directly, without waiting for a class action to wind through federal court for years.