HealthEquity, a Utah-based administrator of health savings accounts (HSAs), health reimbursement arrangements (HRAs), and COBRA benefits serving millions of Americans, disclosed a data breach impacting 4.3 million individuals. The breach originated via compromised user accounts belonging to an unnamed third-party vendor that had access to HealthEquity’s SharePoint-based online data storage. Unauthorized access occurred on March 9, 2024, and was detected March 25, 2024 via an MSSP alert. Investigation completed June 10. Exposed data included names, contact information, SSNs, employer information, health plan details, diagnoses, prescription information, and benefit account details. The vendor’s access was immediately terminated upon discovery. HealthEquity did not publicly name the vendor or identify the responsible threat actor.