HealthEquity administers Health Savings Accounts and consumer-directed benefits for millions of Americans navigating healthcare finance - a domain where regulatory complexity meets high-stakes personal data. As an IRS-designated non-bank HSA trustee, the company operates at the intersection of financial technology and benefits administration, processing healthcare dollars through systems that must satisfy both HIPAA requirements and financial services compliance. The attack surface spans account management platforms, employer integrations, and financial advisor portals.
The technical stack centers on Workday for HR and benefits operations, with Salesforce handling customer relationship management. Security teams work across fintech threat models - account takeover, payment fraud, credential stuffing - layered with healthcare-specific risks around protected health information. The company manages FSAs, HRAs, and COBRA alongside its core HSA product, creating multiple data flows between employers, financial institutions, and individual account holders. Operations run entirely within the United States under federal healthcare and financial regulations.
The threat model includes both external attackers targeting financial accounts and insider risk from employees accessing sensitive health and financial data across enterprise clients. Security architecture must account for partner integrations with employers and financial advisors, where weak links in third-party systems can expose HealthEquity's infrastructure. The scale of the operation - positioned as a leading HSA administrator - means compromise scenarios affect working Americans' healthcare savings and medical expense records simultaneously.