HSA providers on high alert: Sophisticated attacks target billions in savings

Employees who thinking logging into accounts now is hard may go through some things.

By Allison Bell | March 19, 2025 at 11:42 AM

Health savings account providers are discovering that their clients' assets are magnets for crooks — even when the HSA providers' own data defenses are strong.

HealthEquity is seeing more cyber threats from bad actors using sophisticated technology, Scott Cutler, the company's chief executive officer, said Tuesday, during a conference call with securities analysts.

Recommended For You

Some of the bad actors have support from national governments, Cutler added.

For an HSA services provider like HealthEquity, that means even more efforts to improve internal data security programs.

For employers with HSA programs and for the employees with the HSAs, the need to strengthen defenses will lead to even more efforts to educate the HSA holders about ways to create strong passwords and keep crooks from tricking them into revealing information that could let crooks into the HSAs.

HealthEquity may also "introduce even more efforts associated with multi-factor authentication," Cutler said.

Multi-factor authentication systems, or MFA systems, are the systems that require computer users both to provide a password and to look in a digital camera, respond to a cell phone text or supply a code transmitted in an email message to get into an account.

Tougher MFA defenses could increase the number of employers and HSA-owning employees who need
help with HSA lockout problems.

The backdrop: In most ways, this is a great time for HSA providers.

HSA industry assets increased 18% between mid-2023 and mid-2024, to $137 billion in 38 million accounts, according to Devenir.

Some of the top health policy advisors in the administration of President Donald Trump are people who see expanding use of HSAs or similar types of health accounts as a good solution for many health policy problems.

Data security continues to be one nagging source of anxiety.

The threats include attackers trying to get into the HSA providers' systems, attackers trying to get into service providers' systems, and attackers using the personal information available as the result of earlier, unrelated attacks to worm their way into HSA users' accounts.

HealthEquity came face to face with the problem about a year ago, when it discovered that attackers had gotten into a business partner's user account. The breach at an outside entity may have given the attackers access to the personal information of about 4.3 million HSA users.

Related: HealthEquity breach may have affected 4.3M people

Health Equity reported in an annual report filed with securities regulators that it's still dealing with litigation stemming from the attack on the business partner's account.

NOT FOR REPRINT

Allison Bell, a senior reporter at ThinkAdvisor and BenefitsPRO, previously was an associate editor at National Underwriter Life & Health. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached through X at @Think_Allison.

Insurance
BenefitsPRO Broker Expo 2025
May 06, 2025 - Boston

The premier educational and networking event for employee benefits brokers and agents.
More Information
Workers' Compensation Risk Management Award for Excellence Nominations
May 05, 2025 - Nomination Deadline

The 2025 Workers Comp Risk Management Award for Excellence honors outstanding loss control, safety and return-to-work programs.
More Information
Consulting
Consulting Top Consultants 2025
June 26, 2025 - New York

Consulting Magazine identifies consultants that have the biggest impact on their clients, firms and the profession.
More Information