Humana Notifies Members About Sophisticated Cyber Spoofing Attack That Exposed PHI

Humana is informing members about a “sophisticated spoofing attack” which potentially resulted in the exposure of their protected health information (PHI).

A spoofing attack is an attempt, either by a bot or threat actor, to gain control of a system or data using stolen or spoofed login credentials. Humana discovered the attack on June 3, when many failed login attempts were detected from foreign IP addresses. Immediate action was taken to stop the attack and the foreign IP addresses were blocked from accessing Humana.com and Go365.com websites on June 4, 2018.

Humana stated that the attacker had a database of user IDs which were used with a list of passwords in a brute force attack. It is likely the account login credentials are old and the attacker got them from a breach elsewhere. Due to the high number of login failures, Humana does not believe it was the source of the data.

The website accounts did not include stored Social Security numbers or financial data, only information on dental, medical, and vision claims, health insurance provider names, services performed, dates of service, charge amounts, paid amounts, spending account information, balance information, wellness information, and biometric data.

Humana says no reports have been received to suggest any members’ data were stolen in the breach; nevertheless, as a safety measure, all members whose accounts may have been accessed have been offered 12 months of free credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. All account passwords were also reset for security purposes.

Humana is presently implementing new configurations to enhance the protection of its websites and has applied a new system for notifications of successful and failed sign in attempts.

This attack may simply be a brute force attempt to access users’ accounts with just a username obtained in a former breach and a list of commonly used passwords. To reduce the chance of such an attack resulting in unauthorized access to website accounts, strong, complex passwords should be used for accounts that have not been used in the past on other accounts.