Health savings accounts have become a prime target for cyber criminals, who are using advanced tactics to steal funds from them, putting your employees’ medical expense savings at risk.
The risk is even greater considering that employees can keep HSAs for life and many of them are building wealth in these accounts to save for future medical costs in their retirement years.
As the popularity and value of HSAs grows, employers are in a unique position to train their workers on how to best protect their accounts from cyberattacks that can drain their hard-earned medical expense savings.
Criminals see HSAs as ripe for plundering
HSAs have surged in popularity in recent years, with assets growing by 18% between mid-2023 and mid-2024 alone. There are an estimated 38 million HSA accounts in the U.S. with a combined $137 billion in funds, according to investment research firm Devenir.
Thanks to the portability of these accounts and the ability to invest them in investment funds — much like 401(k) plans — some HSAs hold large balances. That makes them especially appealing to cyber criminals.
While HSA providers have invested heavily in cyber security, threats continue to evolve because cyber attackers aren’t always breaching the providers directly. Sometimes, they gain access through third party vendors or by leveraging personal information leaked in unrelated breaches.
For example, HSA provider HealthEquity reported that attackers gained access to one of its business partner’s accounts in 2024, potentially compromising the personal data of more than 4 million account holders.
Criminals may also send scam e-mails which direct account holders to bogus sites that steal their account username and password.
Once attackers have access to personal information, they may bypass security measures through phishing e-mails, social engineering tactics or brute-force password attacks. In some cases, they exploit weak or reused passwords and intercept sensitive communications.
Employers can help
Given how deeply integrated HSAs are into employee benefits, employers can help by providing training that teaches their staff how to protect their HSA accounts and recognize phishing attempts or social engineering scams.
Cyber-security education doesn’t have to be complex. Even short, focused sessions on topics like password hygiene, spotting suspicious e-mails and using multi-factor authentication can make a significant difference.
Here are some steps every HSA holder should take:
- Monitor account alerts and e-mails: Always check for e-mails or notifications about changes to your account, like updated contact info or security settings. If something looks unfamiliar, report it to your HSA provider immediately.
- Review account transactions regularly: Just like with a bank or credit card statement, it’s important to review your HSA transactions to ensure all activity is legitimate. Most providers allow users to freeze their benefits card if they suspect fraud.
- Use strong, unique passwords: Never reuse passwords across accounts, and consider using a password manager to create and store complex, randomized passwords. The longer and more unique the password, the better.
- Enable multi-factor authentication: Many providers are expanding MFA options to add an extra layer of security. This can include verification codes sent via text or e-mail, or biometric verification.