The personal and health information of 4.3 million people were access by bad actors following the compromise of a business partner’s account, according to HealthEquity, which manages millions of health care savings accounts and third-party health care plans around the country.

According to a breach notice filed with the state of Maine, hackers breached the account of the unnamed business partner March 9, but HealthEquity didn’t discover it until June 26, giving the threat actors more than three months to do their work.

In a notice to the Securities and Exchange Commission (SEC) July 2, company executives wrote that they “became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner [and] promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue.”

They found that the hackers used the partner’s account to gain access to other customers’ account information, including their names, addresses, employers’ names, employee IDs, Social Security numbers, and payment card information.

Letters Are Coming

The attackers didn’t put malicious code onto HealthEquity systems and none of the company’s business operations or services were interrupted. Now the company, which says on its website that it serves more than 14 million members and more than 120,000 organizations, is preparing to send out letters to 4.3 million people informing them that their information may have been illegally accessed. The plan is to send the notifications by August 9, HealthEquity said on the Maine bulletin.

“The affected data primarily consisted of sign-up information for accounts and benefits we administer,” the company wrote in a sample of the letter the executives plan to send and which can be accessed via a link on the Maine notification, adding that “not all data categories were affected for every person.”

According to the letter, HealthEquity was alerted March 25 to a “systems anomaly” that required an extensive technical investigation that included data forensics work until June 10. The investigation found that hackers had gained access to protected health and personally identifiable information (PII) that was stored in an unstructured data repository that was outside of the company’s core systems.

Compromising a Business Partner

A vendor’s user accounts that had access to HealthEquity’s online data storage location was compromised, enabling the bad actors to gain unauthorized access to a “limited amount of data.” The investigators before June 26 validated the data and determined whose information was compromised.

The executives said they are unaware of anyone misusing the information. Still, like most other companies that were victims of data breaches, HealthEquity is offering free credit monitoring and identity theft services, in this case for two years from Equifax.

“As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor,” the executives wrote in the sample letter. “Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture.”

Health Care a Target

The health care industry has been a top target for ransomware groups and other threat actors, in large part because of the massive amounts of sensitive personal and health information they hold. They also use a lot of internet-connected devices and have a reputation of both having poor cybersecurity protection and for paying the ransoms for seized or stolen data.

In the wake of the massive ransomware attack on Change Healthcare – a subsidiary of health insurance services giant UnitedHealthcare Group – earlier this year, the U.S. Health and Human Services Department (HHS) noted that over the past five years, the number of large data breaches reported to the agency’s Office for Civil Rights involving hacking jumped 256%. For such incidents related to ransomware, that number was 264%.

Change, whose processes payments, medical and insurance claims, and prescription orders for hospitals and other health care providers, reportedly paid the bad actors a $22 million ransom.