Humana Notifies Members About Sophisticated Cyber Spoofing Attack That Exposed PHI

Humana is informing members about a “sophisticated spoofing attack” which potentially resulted in the exposure of their protected health information (PHI).

A spoofing attack is an attempt, either by a bot or threat actor, to gain control of a system or data using stolen or spoofed login credentials. Humana discovered the attack on June 3, when many failed login attempts were detected from foreign IP addresses. Immediate action was taken to stop the attack and the foreign IP addresses were blocked from accessing and websites on June 4, 2018.

Humana stated that the attacker had a database of user IDs which were used with a list of passwords in a brute force attack. It is likely the account login credentials are old and the attacker got them from a breach elsewhere. Due to the high number of login failures, Humana does not believe it was the source of the data.

The website accounts did not include stored Social Security numbers or financial data, only information on dental, medical, and vision claims, health insurance provider names, services performed, dates of service, charge amounts, paid amounts, spending account information, balance information, wellness information, and biometric data.

Humana says no reports have been received to suggest any members’ data were stolen in the breach; nevertheless, as a safety measure, all members whose accounts may have been accessed have been offered 12 months of free credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. All account passwords were also reset for security purposes.

Humana is presently implementing new configurations to enhance the protection of its websites and has applied a new system for notifications of successful and failed sign in attempts.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

This attack may simply be a brute force attempt to access users’ accounts with just a username obtained in a former breach and a list of commonly used passwords. To reduce the chance of such an attack resulting in unauthorized access to website accounts, strong, complex passwords should be used for accounts that have not been used in the past on other accounts.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: