Skip to content
Key takeaways: HSA security is a growing concern for employee benefits leaders and HSA holders. Attacks are increasingly sophisticated, and it requires a layered, tech-enabled approach to protect health information, financial data, and personal information. HSA providers must ensure account holders have secure, reliable, and seamless access to their accounts
Benefits leaders should look for:
- Security frameworks including SOC2 certification and NIST
- Phishing-resistant authentication standards
- Transaction-level risk assessment that doesn’t sacrifice card approvals
Health Savings Accounts (HSAs) are a powerful tool for both employers and employees. They provide a tax-advantaged way to save, spend, and invest in qualified medical expenses. However, they are becoming an increasingly attractive target for cybercriminals.
Unlike traditional financial accounts, HSAs contain a powerful combination of protected health information (PHI), financial data, and personally identifiable information (PII). This makes them particularly valuable on the black market—stolen medical records can be worth up to $310 per record, roughly ten times the value of stolen credit card data.1
As healthcare fraud continues to rise, HSA providers face a critical challenge: protecting sensitive data while ensuring account holders can access their healthcare funds quickly and easily.
Delivering both security and a seamless experience requires a layered, technology-driven approach.
Why are cyber criminals targeting HSAs?
Healthcare fraud is accelerating across the industry. In 2024 alone, credit card fraud accounted for 43.9% of all identity theft reports.2
Modern attackers are increasingly sophisticated, using automated tools and artificial intelligence to compromise accounts.3
Common tactics include:
- Credential stuffing attacks using stolen passwords
- Bots that probe and test payment card numbers
- Phishing campaigns designed to capture login credentials
- Automated transaction testing to identify active accounts
Healthcare payments present an additional challenge for fraud detection. Legitimate medical transactions—such as recurring pharmacy purchases or predictable medical payments—can sometimes resemble automated attack patterns.4
For HSA providers, the goal is clear but difficult: stop fraudulent transactions without blocking legitimate healthcare purchases.
What to look for in a secure HSA provider
Employers evaluating HSA partners should look for organizations that follow recognized security standards and deploy modern fraud prevention technologies.
Key security practices include:
SOC 2 Certification
Service Organization Control Type 2 (SOC 2) certification is an independent evaluation of a company’s security controls and data protection practices. Providers should be able to share their SOC 2 report during the evaluation process.
Industry Security Frameworks
Providers should follow established cybersecurity and healthcare privacy standards, including guidance from the National Institute of Standards and Technology and compliance with the Health Insurance Portability and Accountability Act (HIPAA).
These frameworks help ensure sensitive health and financial data is handled responsibly.
Phishing-Resistant Authentication
Traditional passwords remain one of the weakest points in account security. Modern authentication replaces passwords with passkeys, which allow users to log in using biometric authentication such as Face ID, fingerprint recognition, or a device PIN.5
Supported by organizations like the FIDO Alliance, passkeys help eliminate the risk of password theft and phishing attacks.6
Risk-Based Authentication
Risk-based authentication evaluates login attempts in real time based on signals such as:
- Device type
- Location
- Behavioral patterns
Suspicious activity can trigger additional verification or access restrictions before an attacker gains entry.
Vendor Security Oversight
Third-party vendors can introduce additional risk. HSA providers should carefully vet partners responsible for:
- Payment card services
- Bank account verification
- Customer support systems
Strong vendor oversight helps reduce exposure across the entire ecosystem.
How does real-time fraud detection work?
Even with strong login security, payment cards remain a major target for fraud.
To address this challenge, HealthEquity partnered with Visa7 to deploy a multi-layered, AI-powered fraud detection system operating in real time at the transaction level.
Visa’s global network processes more than 320 billion transactions each year across over 150 million merchant locations in more than 220 countries and territories. This scale provides valuable insight into emerging fraud patterns worldwide.7
By combining that intelligence with healthcare-specific payment data, HealthEquity can detect threats quickly while minimizing disruption to legitimate purchases.
Detecting fraud at the transaction level
The fraud detection system evaluates transactions using multiple layers of analysis, including:
Bot and card testing detection
The system monitors for automated attempts to probe card numbers or verify whether a card is active.
Digital wallet protections
Transactions involving mobile wallets such as Apple Pay or Google Pay are evaluated with specialized fraud controls.
Real-time risk scoring
More than 500 risk attributes are analyzed within milliseconds to determine whether a transaction should be approved.
Transaction context analysis
The system evaluates differences between:
- Ecommerce transactions
- In-person purchases
This context allows more accurate risk decisions without slowing down legitimate transactions.
Learn more about how we tailored these tools in our Visa/HealthEquity white paper.
Results from HealthEquity’s fraud prevention system
These security investments are designed to protect account holders while maintaining a smooth payment experience. Recent outcomes include:
- 98% card authorization rate
- Over 30% improvement in early-stage fraud detection
- False-positive fraud alerts reduced to below a 5:1 ratio
These improvements help ensure that legitimate healthcare transactions are approved while fraudulent activity is stopped earlier.
Why security and member experience must work together
Fraud prevention isn’t just about stopping attackers; it’s about protecting real people.
It’s the parent picking up a prescription late at night for a sick child. It’s the patient making a payment before an upcoming procedure. It’s the benefits administrator helping employees navigate their healthcare finances.
When fraud detection works effectively, account holders can trust that their funds and personal information are protected without unnecessary interruptions.
By combining HealthEquity’s healthcare expertise with the global fraud intelligence of Visa, we’ve built a fraud prevention framework designed to deliver both: strong protection and a seamless experience for every transaction.
Because when someone needs their healthcare funds, their card should simply work.
Visit our Trust Center to learn more about how HealthEquity is setting the standard for HSA security.
HealthEquity does not provide legal, tax or financial advice.
HealthEquity and Visa are separate, unaffiliated companies and are not responsible for each other’s policies or services.
Google PayTM and the Google Play logo are trademarks of Google LLC.
App Store® is a service mark of Apple Inc.
1Patient Protect, Healthcare Breach Statistics, 2025
2Insurance Information Institute, Identity theft and cybercrime fact sheet, 2024.
3Group IB, “The dark side of automation and rise of the AI agent,” 2025.
4Visa and HealthEquity, “Raising the bar in fraud prevention while advancing trust, security and innovation in healthcare payments,” 2026.
5HealthEquity Biometric Data Privacy Policy.
6FIDO Alliance, Passkey Security.
7Visa Fact Sheet, September 2025
Subscribe to Remark Blog
Get new posts delivered to your inbox.
*Indicates a required field
Thank you for subscribing!
Thank you for subscribing!
