Corporate Misconduct Accountability Project
HealthEquity, Inc. · Class Action Lawsuit
HealthEquity Data Breach Exposed 4.3 Million People to Identity Theft
A Health Savings Account administrator allegedly failed to protect sensitive personal and medical data for over four million customers, exposing them to years of fraud risk while delaying disclosure for months.
CRITICAL SEVERITY
TL;DR
HealthEquity, Inc., a Health Savings Account administrator based in Draper, Utah, experienced a massive data breach affecting 4.3 million individuals. Hackers accessed names, addresses, Social Security numbers, phone numbers, employee IDs, dependent information, and payment card data. The company discovered a system anomaly on March 25, 2024, but did not publicly acknowledge the breach until June 26, 2024, leaving victims unaware and unable to protect themselves for months. The lawsuit alleges HealthEquity failed to implement adequate cybersecurity measures, neglected industry standards, and delayed critical breach notifications, exposing millions to heightened risk of identity theft, financial fraud, and medical identity theft for years to come.
If you had a HealthEquity account, your most sensitive personal and medical information may have been stolen. This breach could haunt you for decades.
4.3M
People whose data was compromised
3 months
Delay between breach discovery and public disclosure
65%
Data breach victims who experience identity theft
The Allegations: A Breakdown
Core Allegations
What HealthEquity allegedly did wrong · 8 points
| 01 | HealthEquity failed to implement reasonable security measures to protect the personal identifiable information and protected health information of 4.3 million customers, allowing unauthorized hackers to access sensitive data including Social Security numbers, addresses, phone numbers, employee IDs, dependent details, and payment card information. | high |
| 02 | The company discovered a system anomaly on March 25, 2024, but did not publicly disclose the breach until June 26, 2024, leaving affected individuals unaware for three critical months during which identity thieves had free access to exploit stolen data. | high |
| 03 | HealthEquity neglected to comply with Federal Trade Commission Act requirements and state data security statutes that mandate reasonable security procedures and practices to safeguard consumer information. | high |
| 04 | The company failed to detect the data breach in a timely manner despite knowing the value and sensitivity of the healthcare and financial data it collected, demonstrating inadequate monitoring and intrusion detection systems. | high |
| 05 | HealthEquity did not adequately design, implement, maintain, monitor, or test its networks, systems, protocols, policies, procedures, and practices to ensure customer data was secured from unauthorized access. | high |
| 06 | The company maintained inadequate administrative, physical, and technical safeguards, ignoring known vulnerabilities in its systems while collecting and storing highly sensitive personal and medical information from millions of customers. | high |
| 07 | HealthEquity misrepresented in its Privacy Notice that customer privacy was important and that it would honor all individual privacy rights defined by law, when in reality its security practices were not reasonable or adequate. | medium |
| 08 | Even after discovering the breach, HealthEquity has not yet provided formal data breach notifications to all affected individuals, leaving some victims unaware that their personal information was compromised and preventing them from taking protective measures. | high |
Regulatory Failures
How the system let this happen · 6 points
| 01 | The United States lacks a comprehensive federal data breach notification law, relying instead on a patchwork of state laws that creates inconsistent protection and allows companies to exploit gaps in enforcement. | high |
| 02 | Data breach laws depend on corporations to self-report security incidents, giving companies control over the timeline of disclosure with minimal external oversight or verification. | high |
| 03 | Regulatory agencies lack sufficient resources to handle data breaches affecting millions across multiple states, straining their ability to act swiftly or decisively when incidents occur. | medium |
| 04 | Current regulations focus on requiring breach notifications after the fact rather than mandating preventive security measures, allowing companies to operate with substandard protections until a breach exposes their failures. | high |
| 05 | Legal frameworks provide ambiguous grace periods between discovering a breach and disclosing it, which companies exploit to manage internal communications and public relations before informing victims. | medium |
| 06 | The Federal Trade Commission can only respond to unfair or deceptive practices after they occur, lacking authority to proactively enforce minimum cybersecurity standards before breaches happen. | medium |
Profit Over People
How cost-cutting endangered millions · 6 points
| 01 | HealthEquity allegedly prioritized cost-saving over robust cybersecurity investment, treating data security as discretionary overhead rather than a fundamental obligation to customers who entrusted the company with their most sensitive information. | high |
| 02 | The company apparently deemed the cost of robust encryption, real-time threat monitoring, and frequent third-party security audits as burdensome, choosing instead to assume it could function effectively with minimal security investment. | high |
| 03 | HealthEquity externalized the costs of inadequate cybersecurity onto consumers, who now bear the burden of identity theft, financial fraud, and medical identity theft, while the company faces only potential lawsuit settlements that may be a fraction of its revenue. | high |
| 04 | The company collected fees from millions of customers precisely because it offered a service to manage sensitive financial and medical transactions, yet allegedly failed to invest proportionately in protecting that very data. | high |
| 05 | HealthEquity’s business model depends heavily on collecting intimate consumer data, yet the lawsuit suggests the company operated under a profit equation that weighed potential lawsuit settlements against the recurring investment in top-tier security and chose the former. | high |
| 06 | The breach demonstrates how short-term profit maximization under neoliberal capitalism can influence corporate spending, directing funds toward revenue-generating activities while neglecting cybersecurity that does not directly increase profits. | medium |
Economic Fallout
The real costs victims now face · 8 points
| 01 | Victims face immediate financial losses from fraudulent tax returns, unauthorized credit lines, and bank account takeovers, requiring hours or months of phone calls and legal processes to dispute fraudulent transactions. | high |
| 02 | The stolen data can be used for medical identity theft, causing victims to be saddled with medical bills for services they never received or to have their medical records compromised with incorrect information. | high |
| 03 | Affected individuals must now spend considerable time and money on ongoing credit monitoring, identity theft insurance, credit freezes and unfreezes, and constant surveillance of financial and medical accounts to guard against fraud. | high |
| 04 | The risk of identity theft more than quadruples for data breach victims, and this elevated risk will persist for years or decades because Social Security numbers and medical information do not expire. | high |
| 05 | Consumers lost more than 56 billion dollars to identity theft and fraud in 2020, and over 75 percent of identity theft victims reported emotional distress from the violation of their privacy and loss of control over personal information. | high |
| 06 | The unauthorized acquisition of personal information has diminished the value of that data for legitimate purposes, as victims can no longer trust that their information remains private or secure. | medium |
| 07 | Many households with Health Savings Accounts are middle-class or lower-income families striving to reduce healthcare costs, who lack the resources to engage in prolonged disputes with banks, credit agencies, or identity thieves. | medium |
| 08 | Identity thieves can use stolen information to open new financial accounts, take out loans, obtain medical services, obtain government benefits, and obtain driver licenses in victims’ names, forcing ongoing vigilance over potential misuse. | high |
Public Health and Safety
Medical data at risk · 5 points
| 01 | The breach compromised protected health information including medical histories, potentially detailing preexisting conditions and mental health treatments that can be exploited for targeted scams or used in identity theft. | high |
| 02 | Criminals can file insurance claims under a stolen identity or access medical services in someone else’s name, causing victims to face withheld health services due to incorrect insurance records and billing confusion. | high |
| 03 | Victims may suffer possible misdiagnoses when incorrect information from identity theft seeps into their medical files, directly endangering their physical health and safety. | high |
| 04 | A person’s entire medical journey might become compromised if identity thieves undergo treatments in their name, creating a cascade of billing nightmares and corrupted health records that can persist for years. | high |
| 05 | The release, disclosure, and publication of sensitive private health data represents not only an intrusion of privacy but a harbinger of identity theft with grave consequences for victims for years after the actual breach date. | medium |
Corporate Accountability Failures
Dodging responsibility · 7 points
| 01 | HealthEquity promised in its Privacy Notice that customer privacy was important and that it would honor all individual privacy rights defined by law, yet allegedly failed to maintain adequate data security despite these assurances. | high |
| 02 | The company knew or should have known that a breach of its data security systems would cause damage to customers, yet proceeded with allegedly inadequate safeguards despite being aware of the value and vulnerability of the data it held. | high |
| 03 | HealthEquity ignored the inadequacies in its networks, systems, protocols, policies, procedures, and practices despite knowing they were not adequately designed to ensure customer information was secured from unauthorized access. | high |
| 04 | The company’s behavior demonstrates a reckless disregard for customer rights, acting with gross negligence by failing to secure personal information despite understanding the risk of unauthorized access it had created. | high |
| 05 | HealthEquity breached express and implied contracts with customers by failing to fulfill data security protections it had promised, delivering services of diminished value compared to what customers paid for and expected. | high |
| 06 | The company breached its implied duty of good faith and fair dealing by failing to take adequate measures to protect confidential information and by unreasonably interfering with the contract benefits owed to customers. | medium |
| 07 | HealthEquity was unjustly enriched by collecting fees from customers for services that were supposed to include data protection, while failing to implement the data management and security measures that customers paid for. | medium |
Exploiting Delay
Months of silence while hackers struck · 6 points
| 01 | HealthEquity discovered the system anomaly on March 25, 2024, completed its data forensics and technical investigation on June 10, 2024, but only admitted the breach publicly on June 26, 2024, leaving victims unaware for three critical months. | high |
| 02 | During the months-long delay between discovery and disclosure, unauthorized hackers had free access to exploit stolen data while victims remained unable to take protective measures such as freezing credit reports or monitoring health insurance claims. | high |
| 03 | The company conducted an extensive technical investigation lasting from March to June, citing the need to complete internal forensics before notifying victims, effectively prioritizing its own information-gathering over immediate consumer protection. | high |
| 04 | HealthEquity failed to immediately disclose the breach to affected individuals, credit reporting agencies, the Internal Revenue Service, financial institutions, and other third parties who had both a right to know and the ability to mitigate harm. | high |
| 05 | Even after public acknowledgment in late June, some affected individuals still have not received formal notification from HealthEquity and remain unaware that their personal information was compromised, preventing them from protecting themselves. | high |
| 06 | The delay allowed the company to manage internal communications and craft public relations responses before informing victims, following a standard corporate playbook of measured information release to minimize reputational damage. | medium |
The PR Machine
Damage control over real solutions · 5 points
| 01 | HealthEquity followed the typical corporate playbook of delayed disclosure, citing the need for internal investigation while victims remained unaware and vulnerable to identity theft during the crucial months after the breach. | high |
| 02 | The standard corporate response of offering free credit monitoring for a limited time is grossly inadequate because identity thieves may exploit stolen Social Security numbers and medical information many years after a breach occurs. | high |
| 03 | Corporate public relations strategies typically minimize the breach’s impact, emphasize the sophistication of hackers to deflect blame, and release information incrementally to manage reputational damage rather than prioritize victim protection. | medium |
| 04 | Companies often treat potential data breach settlements as a predictable cost of doing business rather than a compelling reason to invest in rigorous cybersecurity upfront, allowing them to weigh liability against security investment and choose the cheaper option. | high |
| 05 | The cycle of minimal admission, offering credit monitoring, and moving on has become so entrenched that corporations view it as manageable, while victims endure endless frustration setting up new accounts and disputing unauthorized charges for years. | medium |
Wealth Disparity
Who bears the real burden · 4 points
| 01 | Wealth disparity intensifies the impact of the breach because many Health Savings Account holders are middle-class or lower-income families who lack resources to engage in prolonged disputes with banks, credit agencies, or identity thieves. | high |
| 02 | Top executives may enjoy bonuses and high compensation tied to cost containment while millions of customers face the risk of personal data exploitation, externalizing security costs onto consumers who bear the burden of identity theft and personal losses. | high |
| 03 | Corporations can hire legal teams and public relations experts to mitigate blame, while individual victims scattered across multiple states each lose only small amounts at first but suffer enormous collective harm with limited recourse. | medium |
| 04 | The system essentially incentivizes the externalization of costs, where the company might pay only a fraction of its revenue in legal fees or settlements while consumers suffer ongoing emotional burden and financial harm that rarely factors into damage calculations. | high |
The Bottom Line
A preventable disaster · 6 points
| 01 | This data breach affecting 4.3 million people was not an isolated mishap but a symptom of systemic corporate cost-minimization that disregards the fundamental rights and welfare of those served, prioritizing profits over consumer protection. | high |
| 02 | The pattern of large-scale data breaches is a feature, not a bug, of an environment that does not heavily penalize inadequate security, rewarding corporations for externalizing cybersecurity costs onto vulnerable consumers. | high |
| 03 | HealthEquity’s alleged failures demonstrate how corporate power can eclipse public interest when companies gather and centralize vast data sets without sufficiently robust accountability or mandatory minimum security standards. | high |
| 04 | The harm to victims will persist for years or decades as identity thieves exploit stolen Social Security numbers and medical information, while the corporation’s financial consequences may prove temporary and manageable. | high |
| 05 | Without structural changes including mandatory security standards, routine audits, and meaningful penalties that truly deter data mishandling, the cycle of preventable breaches will continue to endanger millions of consumers. | high |
| 06 | The lawsuit seeks to break through typical damage control narratives by demanding formal judicial or regulatory resolution that acknowledges the breach’s seriousness and compels actual long-term remedies beyond perfunctory credit monitoring offers. | medium |
Timeline of Events
March 9, 2024
HealthEquity experiences the data breach affecting 4.3 million individuals
March 25, 2024
HealthEquity becomes aware of a system anomaly requiring investigation
June 10, 2024
HealthEquity completes its data forensics and technical investigation
June 26, 2024
HealthEquity admits the data breach in a notification to the Maine Attorney General
July 26, 2024
HealthEquity files formal notice with the Maine Attorney General’s office acknowledging systems were breached by hacking
August 6, 2024
Class action lawsuit filed by Jennifer Keane in U.S. District Court for the District of Utah
Direct Quotes from the Legal Record
QUOTE 1
Scale of the breach
allegations
“On June 26, 2024, Defendant admitted that it experienced a data breach in a Data Breach Notification Submission to the Office of the Maine Attorney General. The Notification Submission states that the breach affected 4.3 million people.”
💡 This confirms the massive scope of personal data compromised, affecting over four million individuals across the United States.
QUOTE 2
Types of data stolen
allegations
“HealthEquity has admitted that hackers gained access to protected health information and may have obtained the following: sign-up information for accounts and benefits including names, addresses, telephone numbers, employee IDs, employers, social security numbers, general contact information of dependents, and payment card information.”
💡 The stolen data includes the most sensitive types of personal information, enabling comprehensive identity theft and fraud.
QUOTE 3
Discovery and delay timeline
delay_tactics
“On or about March 25, 2024, HealthEquity became aware of a systems anomaly requiring an extensive technical investigation and data forensics until June 10, 2024.”
💡 HealthEquity took nearly three months to investigate while victims remained unaware and unable to protect themselves.
QUOTE 4
Inadequate security measures
allegations
“HealthEquity failed to adequately protect Plaintiff’s and Class Members’ Personal Identifiable Information. This PII was compromised due to Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data.”
💡 The lawsuit directly accuses HealthEquity of negligence and careless failure to protect customer data despite its obligations.
QUOTE 5
Broken promises
accountability
“On the Privacy Notice page of its website, HealthEquity states: ‘Your privacy is important to us.’ HealthEquity further claims to ‘honor all individual privacy rights defined by law, as set forth herein and in governing regulations.'”
💡 HealthEquity made explicit promises about privacy protection that it allegedly failed to fulfill in practice.
QUOTE 6
Long-term harm to victims
economic
“The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.”
💡 Because Social Security numbers and medical data do not expire, victims face permanent elevated risk of identity theft.
QUOTE 7
Identity theft statistics
economic
“Identity theft is the most common consequence of a data breach—it occurs to 65% of data breach victims. Consumers lost more than $56 billion to identity theft and fraud in 2020, and over 75% of identity theft victims reported emotional distress.”
💡 These statistics demonstrate the concrete financial and emotional harm that data breach victims typically experience.
QUOTE 8
Quadrupled risk
economic
“A data breach can have a grave consequences for victims for years after the actual date of the breach—with the obtained information, thieves can wreak many forms of havoc: open new financial accounts, take out loans, obtain medical services, obtain government benefits, and/or obtain driver’s licenses in the victims’ names, forcing victims to maintain a constant vigilance over the potential misuse of their information. The risk of identity theft more than quadruples.”
💡 Data breach victims face more than four times the normal risk of identity theft, with consequences lasting years or decades.
QUOTE 9
Inadequate notification
delay_tactics
“HealthEquity has yet to formally notify Plaintiff that it lost her PII and PHI. On information and belief, HealthEquity has not yet provided Data Breach notifications to some affected Class Members who may already be victims of identity fraud or theft or are at imminent risk of becoming victims of identity theft or fraud associated with PII and PHI that they provided to HealthEquity.”
💡 Months after the breach, some victims still have not been notified, leaving them unaware and unable to protect themselves.
QUOTE 10
Breach of duty
accountability
“HealthEquity owed a duty to Plaintiff and Class Members, arising from the sensitivity of the information, the expectation the information was going to be kept private, and the foreseeability of its data safety shortcomings resulting in an intrusion, to exercise reasonable care in safeguarding their sensitive personal information.”
💡 The lawsuit establishes HealthEquity had a clear legal duty to protect this sensitive data based on its nature and customer expectations.
QUOTE 11
Gross negligence claim
accountability
“Despite knowing its networks, systems, protocols, policies, procedures and practices, as described above, were not adequately designed, implemented, maintained, monitored and tested to ensure that Plaintiff’s and Class Members’ PII and PHI were secured from unauthorized access, HealthEquity ignored the inadequacies and was oblivious to the risk of unauthorized access it had created. HealthEquity’s behavior establishes facts evidencing a reckless disregard for Plaintiff’s and Class Members’ rights.”
💡 The lawsuit alleges not just negligence but gross negligence and reckless disregard for customer rights, suggesting willful inaction.
QUOTE 12
Violation of federal law
regulatory
“Under the Federal Trade Commission Act (‘FTCA’), 15 U.S.C. § 45, HealthEquity had a duty to provide fair and adequate computer systems and data security practices to safeguard Plaintiff’s and Class Members’ PII and PHI. HealthEquity breached its duties to Plaintiff and Class Members, under the Federal Trade Commission Act, 15 U.S.C. § 45, (‘FTCA’) and the state data security statutes, by failing to provide fair, reasonable, or adequate computer systems and data security practices to safeguard Plaintiff’s and Class Members’ PII.”
💡 HealthEquity allegedly violated specific federal statutory duties designed to protect consumer data.
QUOTE 13
Breach of contract
accountability
“HealthEquity materially breached the terms of these express contracts, including, but not limited to, the terms stated in the relevant Privacy Policy. Specifically, HealthEquity did not comply with federal, state and local laws, or industry standards, or otherwise protect Plaintiff’s and the Class Members’ PII and PHI.”
💡 Customers had contractual agreements with HealthEquity that the company allegedly violated by failing to protect their data as promised.
QUOTE 14
Diminished value
economic
“As a result of HealthEquity’s failure to fulfill the data security protections promised in these contracts, Plaintiff and members of the Class did not receive the full benefit of the bargain, and instead received services that were of a diminished value to that described in the contracts.”
💡 Customers paid for secure services but received services worth less due to inadequate data protection.
QUOTE 15
Unjust enrichment
profit
“The money that Plaintiff and Class Members paid to Defendant should have been used to pay, at least in part, for the administrative costs and implementation of data management and security. Defendant failed to implement—or adequately implement—practices, procedures, and programs to secure sensitive PII and PHI, as evidenced by the Data Breach.”
💡 HealthEquity collected fees supposedly to cover data security but allegedly failed to spend adequately on those protections.
Frequently Asked Questions
What information was stolen in the HealthEquity data breach?
Hackers accessed names, addresses, phone numbers, Social Security numbers, employee IDs, employer information, general contact information of dependents, and payment card information for 4.3 million people who had Health Savings Accounts with HealthEquity.
When did the HealthEquity data breach happen?
The breach occurred around March 9, 2024. HealthEquity discovered a system anomaly on March 25, 2024, but did not publicly acknowledge the breach until June 26, 2024, leaving victims unaware for three months.
How many people were affected by the HealthEquity breach?
According to HealthEquity’s notification to the Maine Attorney General, the data breach affected 4.3 million individuals across the United States.
Why did HealthEquity wait so long to notify people about the breach?
HealthEquity claims it needed time to conduct an extensive technical investigation and data forensics, which lasted from March 25 to June 10, 2024. The lawsuit alleges this delay was unreasonable and prevented victims from protecting themselves during the critical period when hackers had access to their data.
What can victims of the HealthEquity breach do to protect themselves?
Victims should immediately freeze their credit with all three major credit bureaus, monitor financial accounts and credit reports closely for unauthorized activity, consider identity theft protection services, file fraudulent tax returns early to prevent thieves from doing so, and watch for suspicious medical bills or insurance claims that could indicate medical identity theft.
Can I join the class action lawsuit against HealthEquity?
If you had a Health Savings Account with HealthEquity and your personal information was compromised in the breach, you may be eligible to join the class action. You should contact the attorneys representing the class or watch for official notices about the lawsuit as it proceeds through court.
What damages are victims seeking in the HealthEquity lawsuit?
The lawsuit seeks actual damages for identity theft losses, reimbursement for credit monitoring and protective services, compensation for time spent dealing with the breach, damages for emotional distress, injunctive relief requiring HealthEquity to improve its security, and attorneys’ fees and costs.
Is free credit monitoring enough to protect HealthEquity breach victims?
No. The lawsuit argues that offering a year or two of free credit monitoring is grossly inadequate because identity thieves may exploit stolen Social Security numbers and medical information many years after a breach occurs. Social Security numbers do not expire, and medical identity theft can happen years later.
What is medical identity theft and how does this breach enable it?
Medical identity theft occurs when criminals use stolen personal information to obtain medical services, prescriptions, or file fraudulent insurance claims in someone else’s name. Because the HealthEquity breach exposed protected health information, thieves can use this data to impersonate victims when seeking medical care, leaving victims with incorrect medical records and unexpected bills.
Did HealthEquity violate any laws with this data breach?
The lawsuit alleges HealthEquity violated the Federal Trade Commission Act, which requires companies to provide adequate data security, as well as multiple state data security statutes. The complaint also alleges breach of contract, negligence, gross negligence, and violations of state consumer protection laws including the Washington Consumer Protection Act.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
