Risk and Security | HealthEquity Skip to content

Risk and Security

Remarkable service begins with remarkable trust. This is how we're building it at HealthEquity.

2023 Security Report


Service Organization Controls (Soc2) (Type II) Trust Services Principles


National Institute of Standards and Technology Cybersecurity Framework


Health Insurance Portability and Accountability Act

Strengthening our
Total Solution

At HealthEquity, our mission is to help our members connect health and wealth. We have become an industry leader in administering Health Savings Accounts, in addition to our roster of other products and benefits, by bringing together advanced technology and remarkable service.

As part of our remarkable service, we are committed to protecting the confidentiality, integrity, and availability of your personal information and our systems and applications.

This site explains our approach to securing your data against cyber threats—employing secure design and testing practices, developing a world-class Risk & Security organization, and building strong partnerships across the cybersecurity industry.

Our Guiding Principles

People First

HealthEquity team members are our first line of defense against cyber attacks—this is why we are investing in tools and training for security awareness, as well as why we prioritize building a world-class Risk and Security team.

Purple Trust

The adoption of the Zero Trust security framework at HealthEquity strengthens network security by verifying what can access corporate resources and services. Our redesigned “always on VPN” has also allowed our team members to safely work from home.

Converged Learning

Managing cybersecurity, physical security, fraud, compliance, enterprise risk, and privacy under one team is not just an administrative exercise. It also means we combine the decision-making practices and lessons we have learned from each of these skillsets.

Strong Partnerships

Moving to the cloud and integrating our platforms is an “all-hands on-deck” effort for HealthEquity. Internal and external partnerships are critical—we have built relationships with state and federal law enforcement and security information-sharing organizations.

The Converged Team

Our cross-functional team is staffed with subject matter experts and leaders from each of these areas:

Risk and Compliance

Our Risk and Compliance organization functions at the enterprise level: managing operational, financial, and security risks for the entire company. They serve as our Second Line of Defense, building a mature program with our Legal and Internal Audit organizations.


We follow a defense-in-depth security model with a Joint Security Operations Center (JSOC) and Data Protection team working with security architects and engineers deploying controls designed to prevent or limit the success of an attack.

Fraud Prevention

Our Fraud Strategy and Prevention team is leveraging the best practices of fraud prevention and cybersecurity monitoring to protect the transactions of our members and clients.

Physical Security and Crisis Management

Led by federal law enforcement veterans, our People Safety team is responsible for ensuring the security of our 3,000+ team members across the US. We also conduct regular tabletop exercises to ensure we are ready to respond to crises.


Our Data Privacy and Governance team helps our technology teams build a lasting roadmap to creating our products, services, and standards with privacy by design, and transparency at the forefront. See our privacy policy here.

Detailed Capabilities

  • Statement on Standards for Attestation Engagements 18 (SSAE-18) and Service and Organization Controls (SOC 1 and 2) reports
  • Routine third-party validation testing
  • Assessment and testing for vulnerabilities, recovery, and capacity
  • Intrusion prevention program
  • Multiple redundant data centers
  • Plans tested routinely
  • Multiple call centers with dynamic call migration

  • All employees and non-employees with access to HealthEquity systems and data complete mandatory compliance, privacy, and security training upon hire and every year thereafter
  • Health Insurance Portability and Accountability Act (HIPAA Security Rule)
  • An external NIST CSF Assessment was done in 2021, mapped to HIPAA and GLBA controls
  • Policies and procedures are mapped to NIST CSF
  • Employment verification and criminal checks for US employees

Responsible Disclosure Process

This section is for security researchers who are interested in reporting security vulnerabilities on the HealthEquity platform. We value the assistance of the security research community and encourage researchers or others to report any potential vulnerabilities in accordance with the guidelines below.

Safe Harbor

We will not pursue legal action against researchers who comply with the HealthEquity defined responsible disclosure process.

Reward/ Compensation

HealthEquity does not operate a bug bounty program and makes no offer of reward or compensation. If you are the first to report a qualifying vulnerability and would like to be included in our Security Researcher Hall of Fame, please provide us with your name and a link for recognition.

Reporting Instructions

We will not pursue legal action against researchers who comply with the HealthEquity defined responsible disclosure process.

  • Email us at responsibledisclosure@

  • Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.
  • Include a detailed description of the vulnerability: tools utilized, target, processes, and results.
  • Do NOT include any sensitive/personal/non-public data samples, a description of such data is sufficient.

Acknowledgement and Response

When the HealthEquity Information Security Team receives a report, we will send an acknowledgement within three business days. Request(s) for further information may be sent as needed. After validation/verification of a vulnerability, additional communications will be sent through resolution.


HealthEquity will not negotiate in response to a threat (e.g., a threat of withholding, or threat of releasing the vulnerability to the public). However, we will work with you, and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public. We will not share names or contact data of security researchers unless given explicit consent.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties or vendors will be determined at the discretion of HealthEquity.

Responsible Disclosure Guidelines


  • Do cease testing and report the vulnerability or exposure of non-public or sensitive data as quickly as is reasonably possible to responsibledisclosure@
    , to minimize the risk of hostile actors finding or taking advantage of it.

  • Do provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locators) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Do limit testing to HealthEquity owned applications as defined in the ‘In-Scope’ section of this policy.
  • Do remove any non-public or sensitive data from your system that might have been obtained during testing.


  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people’s data.
  • Do not test third-party applications, websites, or services that integrate with, or link to or from HealthEquity systems.
  • Do not test in a manner which could degrade the operation of HealthEquity systems or intentionally impair, disrupt, or disable HealthEquity systems.
  • Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.
  • Do not include any sensitive/personal/non-public data samples in your report, a description of such data is sufficient.

In Scope

All publicly accessible domains, applications, and systems owned by HealthEquity and its subsidiaries. If you have any other information you would like to provide to our security team, please do so via the Reporting Instructions.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).
  • Policies as opposed to implementations, such as email verification or password length or reuse.
  • Spam (unless a specific vulnerability leads to easily sending spam).
  • Missing security headers or ‘best practices’ (except if you are able to demonstrate a vulnerability that makes use of their absence).
  • Distributed Denial of Service attacks (DDoS).
  • Social engineering attacks.
  • Third party applications we make use of but do not control (e.g., a media library or social media service).

Security Researcher Hall of Fame

HealthEquity would like to publicly express our gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We truly appreciate your remarkable efforts!

COBRA/Direct Bill Employer login

Please refer to your Client Welcome email for the URL of your specific COBRA/Direct Bill Employer login page.