www.healthequity.com
Open in
urlscan Pro
104.16.21.42
Public Scan
Submitted URL: https://click.e.healthequity.com/?qs=18e4ffe8fe9e6f29a731e42f20bde5dfce15d1203f3155d18c71e67e60653f9ef850df7d1eed270b33e87850e379...
Effective URL: https://www.healthequity.com/security?utm_source=sfmc&utm_medium=email&utm_campaign=Miscellaneous_HCFSA_5136086_100323
Submission: On October 10 via api from US — Scanned from DE
Effective URL: https://www.healthequity.com/security?utm_source=sfmc&utm_medium=email&utm_campaign=Miscellaneous_HCFSA_5136086_100323
Submission: On October 10 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://www2.healthequity.com/open-account/
<form class="search_form" action="https://www2.healthequity.com/open-account/" accept-charset="UTF-8" method="get">
<input type="hidden" name="utm_source" id="utm_source" value="sfmc" autocomplete="off">
<input type="hidden" name="utm_medium" id="utm_medium" value="email" autocomplete="off">
<input type="hidden" name="utm_campaign" id="utm_campaign" value="Miscellaneous_HCFSA_5136086_100323" autocomplete="off">
<input type="submit" name="commit" value="Individual" class="login-type-header" data-disable-with="Individual">
</form>Text Content
Skip to content
* For Individuals
* Back
Get Started
* Opening an HSA
* Transfer Your HSA
Learn
* HSA Guide
* Open Enrollment Center
* Webinars
Support
* Help Center for Individuals
* Login Help
* For Business
* Back
Total Solution
* Employers
* Benefits Advisors
* Financial Advisors
* Health Plans
Engage360
* Engage360 Hub
* Open Enrollment Toolkit
* Best Practices
* Engagement Packages
* Health Savings Score™
Get Help
* Sales
* Help Center for Business
* Login Help
* Contact Us
* Products
* Back
Healthcare
* HSA | Health Savings Account
* FSA | Flexible Spending Account
* HRA | Health Reimbursement Arrangement
Other Benefits
* Dependent Care
* Commuter
* Lifestyle
* COBRA
* Direct Billing
* Premium Only Plans
* Insights
* Back
* Blog
* Employer Webinars
* Partner Webinars
* HSA Talk
* About
* Back
* About HealthEquity
* What's New
* COVID-19 Information
* Further
* Newsroom
* CSR Report
* Investor Relations
* Careers
* Contact Us
* Open Account
Login
* For Individuals
Get Started
* Opening an HSA
* Transfer Your HSA
Learn
* HSA Guide
* Open Enrollment Center
* Webinars
Support
* Help Center for Individuals
* Login Help
* For Business
Total Solution
* Employers
* Benefits Advisors
* Financial Advisors
* Health Plans
Engage360
* Engage360 Hub
* Open Enrollment Toolkit
* Best Practices
* Engagement Packages
* Health Savings Score™
Get Help
* Sales
* Help Center for Business
* Login Help
* Contact Us
* Products
Healthcare
HSA | Health Savings Account FSA | Flexible Spending Account HRA | Health
Reimbursement Arrangement
Other Benefits
Dependent Care Commuter Lifestyle COBRA Direct Billing Premium Only Plans
* Insights
* Blog
* Employer Webinars
* Partner Webinars
* HSA Talk
* About
* About HealthEquity
* What's New
* COVID-19 Information
* Further
* Newsroom
* CSR Report
* Investor Relations
* Careers
* Contact Us
Open Account Login
* HealthEquity
* Account login
* Logging in for the first time?
Create username and password
* WageWorks
* Employee login
* Employer login
* TransitChek login
* COBRA/Direct Bill Participant login
* COBRA/Direct Bill Employer login
* POP login
* Need login help?
RISK AND SECURITY
Remarkable service begins with remarkable trust. This is how we're building it
at HealthEquity.
2023 Security Report
SOC 2
Service Organization Controls (Soc2) (Type II) Trust Services Principles
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
HIPAA
Health Insurance Portability and Accountability Act
STRENGTHENING OUR
TOTAL SOLUTION
At HealthEquity, our mission is to help our members connect health and wealth.
We have become an industry leader in administering Health Savings Accounts, in
addition to our roster of other products and benefits, by bringing together
advanced technology and remarkable service.
As part of our remarkable service, we are committed to protecting the
confidentiality, integrity, and availability of your personal information and
our systems and applications.
This site explains our approach to securing your data against cyber
threats—employing secure design and testing practices, developing a world-class
Risk & Security organization, and building strong partnerships across the
cybersecurity industry.
OUR GUIDING PRINCIPALS
People First
HealthEquity team members are our first line of defense against cyber
attacks—this is why we are investing in tools and training for security
awareness, as well as why we prioritize building a world-class Risk and Security
team.
Purple Trust
The adoption of the Zero Trust security framework at HealthEquity strengthens
network security by verifying what can access corporate resources and services.
Our redesigned “always on VPN” has also allowed our team members to safely work
from home.
Converged Learning
Managing cybersecurity, physical security, fraud, compliance, enterprise risk,
and privacy under one team is not just an administrative exercise. It also means
we combine the decision-making practices and lessons we have learned from each
of these skillsets.
Strong Partnerships
Moving to the cloud and integrating our platforms is an “all-hands on-deck”
effort for HealthEquity. Internal and external partnerships are critical—we have
built relationships with state and federal law enforcement and security
information-sharing organizations.
THE CONVERGED TEAM
Our cross-functional team is staffed with subject matter experts and leaders
from each of these areas:
Risk and Compliance
Our Risk and Compliance organization functions at the enterprise level: managing
operational, financial, and security risks for the entire company. They serve as
our Second Line of Defense, building a mature program with our Legal and
Internal Audit organizations.
Cybersecurity
We follow a defense-in-depth security model with a Joint Security Operations
Center (JSOC) and Data Protection team working with security architects and
engineers deploying controls designed to prevent or limit the success of an
attack.
Fraud Prevention
Our Fraud Strategy and Prevention team is leveraging the best practices of fraud
prevention and cybersecurity monitoring to protect the transactions of our
members and clients.
Physical Security and Crisis Management
Led by federal law enforcement veterans, our People Safety team is responsible
for ensuring the security of our 3,000+ team members across the US. We also
conduct regular tabletop exercises to ensure we are ready to respond to crises.
Privacy
Our Data Privacy and Governance team helps our technology teams build a lasting
roadmap to creating our products, services, and standards with privacy by
design, and transparency at the forefront. See our privacy policy here.
DETAILED CAPABILITIES
* Statement on Standards for Attestation Engagements 18 (SSAE-18) and Service
and Organization Controls (SOC 1 and 2) reports
* Routine third-party validation testing
* Assessment and testing for vulnerabilities, recovery, and capacity
* Intrusion prevention program
* Multiple redundant data centers
* Plans tested routinely
* Multiple call centers with dynamic call migration
* All employees and non-employees with access to HealthEquity systems and data
complete mandatory compliance, privacy, and security training upon hire and
every year thereafter
* Health Insurance Portability and Accountability Act (HIPAA Security Rule)
* An external NIST CSF Assessment was done in 2021, mapped to HIPAA and GLBA
controls
* Policies and procedures are mapped to NIST CSF
* Employment verification and criminal checks for US employees
RESPONSIBLE DISCLOSURE PROCESS
This section is for security researchers who are interested in reporting
security vulnerabilities on the HealthEquity platform. We value the assistance
of the security research community and encourage researchers or others to report
any potential vulnerabilities in accordance with the guidelines below.
Safe Harbor
We will not pursue legal action against researchers who comply with the
HealthEquity defined responsible disclosure process.
Reward/ Compensation
HealthEquity does not operate a bug bounty program and makes no offer of reward
or compensation. If you are the first to report a qualifying vulnerability and
would like to be included in our Security Researcher Hall of Fame, please
provide us with your name and a link for recognition.
Reporting Instructions
We will not pursue legal action against researchers who comply with the
HealthEquity defined responsible disclosure process.
* Email us at responsibledisclosure@
healthequity.com.
* Report issues promptly and do not attempt to further exploit the system or
its data once you have confirmed and documented the issue.
* Include a detailed description of the vulnerability: tools utilized, target,
processes, and results.
* Do NOT include any sensitive/personal/non-public data samples, a description
of such data is sufficient.
Acknowledgement and Response
When the HealthEquity Information Security Team receives a report, we will send
an acknowledgement within three business days. Request(s) for further
information may be sent as needed. After validation/verification of a
vulnerability, additional communications will be sent through resolution.
Timeframe
HealthEquity will not negotiate in response to a threat (e.g., a threat of
withholding, or threat of releasing the vulnerability to the public). However,
we will work with you, and ask that you allow us a reasonable amount of time for
both the validation/verification and the resolution of the vulnerability before
taking action to make it public. We will not share names or contact data of
security researchers unless given explicit consent.
External Vulnerability Reporting
Reporting of vulnerability information to other third parties or vendors will be
determined at the discretion of HealthEquity.
Responsible Disclosure Guidelines
DO:
* Do cease testing and report the vulnerability or exposure of non-public or
sensitive data as quickly as is reasonably possible to responsibledisclosure@
healthequity.com, to minimize the risk of hostile actors finding or taking
advantage of it.
* Do provide sufficient information to reproduce the problem so we will be able
to resolve it as quickly as possible. Usually, the IP (Internet Protocol)
address or the URL (Universal Resource Locators) and a description of the
vulnerability will be sufficient, but complex vulnerabilities may require
further explanation.
* Do limit testing to HealthEquity owned applications as defined in the
‘In-Scope’ section of this policy.
* Do remove any non-public or sensitive data from your system that might have
been obtained during testing.
DO NOT:
* Do not take advantage of the vulnerability or problem you have discovered,
for example by downloading more data than necessary to demonstrate the
vulnerability, making changes to the system, installing malicious software,
or deleting or modifying other people’s data.
* Do not test third-party applications, websites, or services that integrate
with, or link to or from HealthEquity systems.
* Do not test in a manner which could degrade the operation of HealthEquity
systems or intentionally impair, disrupt, or disable HealthEquity systems.
* Do not build your own backdoor into a system, even if the intention is to
demonstrate the vulnerability; doing so can cause additional damage and
create unnecessary security risks.
* Do not reveal the problem to others until it has been resolved.
* Do not use attacks on physical security, social engineering, distributed
denial of service, spam, phishing, or applications of third parties.
* Do not include any sensitive/personal/non-public data samples in your report,
a description of such data is sufficient.
In Scope
All publicly accessible domains, applications, and systems owned by HealthEquity
and its subsidiaries. If you have any other information you would like to
provide to our security team, please do so via the Reporting Instructions.
Out of Scope
When reporting vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) security impact of the bug. The following
issues are considered out of scope:
* Vulnerabilities that require access to an already compromised user account
(unless access to an account exposes other accounts).
* Policies as opposed to implementations, such as email verification or
password length or reuse.
* Spam (unless a specific vulnerability leads to easily sending spam).
* Missing security headers or ‘best practices’ (except if you are able to
demonstrate a vulnerability that makes use of their absence).
* Distributed Denial of Service attacks (DDoS).
* Social engineering attacks.
* Third party applications we make use of but do not control (e.g., a media
library or social media service).
Security Researcher Hall of Fame
HealthEquity would like to publicly express our gratitude to the following
security researchers for responsibly disclosing vulnerabilities and working with
us to remediate them. We truly appreciate your remarkable efforts!
--------------------------------------------------------------------------------
INDIVIDUAL HELP
* HSA Guide
* FSA Guide
* Member Portal
* Help Center for
Individuals
* Mobile App
* Open Enrollment Center
* Documents and Forms
* Login Help
BUSINESS HELP
* Help Center for Business
* Engage360 Hub
* Open Enrollment Toolkit
PRODUCTS
* HSA
* FSA
* HRA
* Dependent Care
* Commuter
* Lifestyle
* COBRA
* Direct Billing
* Premium Only Plans
ABOUT
* About HealthEquity
* What's New
* COVID-19 Information
* Further
* Newsroom
* CSR Report
* Investor Relations
* Careers
* Blog
* Security
* Contact Us
FOLLOW US
*
*
*
*
*
*
* Individual Help
* HSA Guide
* FSA Guide
* Member Portal
* Help Center for Individuals
* Mobile App
* Open Enrollment Center
* Documents and Forms
* Login Help
* Business Help
* Help Center for Business
* Engage360 Hub
* Open Enrollment Toolkit
* Products
* HSA
* FSA
* HRA
* Dependent Care
* Commuter
* Lifestyle
* COBRA
* Direct Billing
* Premium Only Plans
* About
* About HealthEquity
* What's New
* COVID-19 Information
* Further
* Newsroom
* CSR Report
* Investor Relations
* Careers
* Blog
* Security
* Contact Us
FOLLOW US
*
*
*
*
*
*
Connecting Health and Wealth
© 2002-2023 HealthEquity, Inc. All rights reserved
Legal Notices | Privacy | Do Not Sell | Accessibility | Community Guidelines
Language Assistance/Non-Discrimination Notice
Asistencia de Idiomas/Aviso de no Discriminación
語言協助 / 不歧視通知
Cookies Settings
Let's HSA!
First, tell us who you are:
I'm not signing up through an employer
or
Employee
I'm signing up through my employer
×
COBRA/Direct Bill Employer login
Please refer to your Client Welcome email for the URL of your specific
COBRA/Direct Bill Employer login page.
×
COOKIE CONSENT NOTICE
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Privacy Policy
Accept All Cookies
Reject All
Cookies Settings
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
User ID: d00c2900-1e33-4036-8c2a-2aba1ba90d19
Allow All
MANAGE CONSENT PREFERENCES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices