HealthEquity Class Action Alleges 'Careless' Data Handling Led to Breach

Case Overview: A class action lawsuit has been filed against HealthEquity, alleging the company's negligence in data security practices led to a data breach exposing sensitive customer information.

Consumers Affected: Individuals whose personal information was compromised in the HealthEquity data breach.

Court: U.S. District Court for the District of Utah

HealthEquity, a financial technology company that administers health savings accounts, is facing claims in a new lawsuit that it is careless and negligent with consumer data and violates federal data storage guidelines and industry best practice, which led to a major data breach.  

The lawsuit alleges that HealthEquity failed to adequately secure the personally identifiable information of its customers, leaving them vulnerable to identity theft and fraud following the July breach, when hackers entered the companies system and stole consumer information ranging from names and addresses to social security numbers and more. 

Personal Information Stolen Due To HealthEquity's Failures, Lawsuit Alleges

Utah resident Colin Booth filed the proposed class action lawsuit against the company, as one of what he said are the tens of thousands of people affected by the data breach. He argues that the company violated both federal and state statutes by failing to safeguard consumers PII, and not following industry standards for data security.

Booth accuses HealthEquity of negligence, alleging that the company failed to protect sensitive customer information, including names, addresses, phone numbers, employee IDs, Social Security numbers, and payment card information.  

This data was reportedly left unencrypted and unredacted, making it an easy target for hackers, and he says HealthEquity's failure to implement proper security measures put customers at lifelong risk of identity theft and other forms of fraud. 

“This unencrypted, unredacted PII was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect customers’ sensitive data,” the lawsuit states. Booth also alleges that HealthEquity didn’t provide timely notice of the breach.

How The HealthEquity Data Breach Occurred

In July, hackers were able to gain access to HealthEquity's computer system and they targeted and took files with the unencrypted PII, which included Social Security numbers and other highly sensitive information. 

Booth says in the lawsuit that the personal data has likely been sold on the dark web where it can be used for identity theft and other malicious activities, putting those affected at a high risk of identity theft and fraud. Already, he said, those affected have had an increase in spam calls, texts, and emails, and allege their PII has been disseminated on the dark web.

The lawsuit also highlights the emotional and financial toll on the victims, who now have to spend time and resources monitoring their accounts, addressing potential fraud, and securing their identities.

“As a result of Defendant’s ineffective and inadequate data security practices, the Data Breach, and the foreseeable consequences of PII ending up in the possession of criminals, the risk of identity theft to the Plaintiff and Class Members has materialized and is imminent, and Plaintiff and Class Members have all sustained actual injuries and damages,” the lawsuit alleges.

Data Breaches on the Rise in Healthcare and Financial Sectors

Data breaches are becoming increasingly common in the healthcare and financial sectors, where companies hold vast amounts of sensitive personal information. The lawsuit cites a 2023 report that noted a 78 percent increase in data breaches from the previous year, highlighting the growing threat to consumers.

Booth said HealthEquity should have been aware of this fact, and the risk that it faced given the value of the data it stored, yet, he alleges, it didn’t follow industry best practices of FTC guidelines for data storage. The breach could have been prevented had HealthEquity adhered to basic data security practices, like encrypting data, he claims.

Similar Cases in the Healthcare Industry

HealthEquity is not the only company facing legal action over data breaches, with a recent spate filed by consumers in courts across the country. Coastal Orthopedics & Sports Medicine was just hit with a class action lawsuit alleging negligence in a data breach that exposed the personal and medical information of over 200,000 patients. 

SouthCoast Medical Group was hit with a class action lawsuit accusing it of negligence in a data breach that exposed patients' personal and medical information, allegedly leading to identity theft and fraud, and Henry Ford Health was also recently hit with a class action lawsuit alleging it unlawfully discloses patients' confidential information to third parties, including Facebook and Google without patient consent. 

Meanwhile, nonprofit provider of outpatient mental and physical healthcare services Justice Resource Institute Inc. (JRI) has been hit with a class action lawsuit alleging it’s responsible for a major data breach that exposed a woman’s sensitive health information, and the information of other patients.

In the HealthEquity data breach class action lawsuit, Booth wants to represent people affected by the breach from across the country and he is suing for alleged negligence, breach of implied contract, and unjust enrichment. He is seeking enjoinment, injunctive relief, damages, fees, and costs.

Case Details

• Lawsuit: Booth v. HealthEquity, Inc.
• Case Number: 2:24-cv-00553-DBB 
• Court: U.S. District Court for the District of Utah 

Plaintiffs' Attorneys

• Jason R. Hull (Marshall Olson & Hull, P.C.)
• Gary M. Klinger (Milberg Coleman Bryson And Philips Grossman PLLC)

Have you been affected by the HealthEquity data breach? Share your experiences in the comments below.