Humana Reports Cyber Spoofing Attack

by Ryan Coyne | Jul 9, 2018

Humana is contacting members across the US to notify them that their PHI may have been been accessed during a ‘sophisticated’ spoofing campaign.

A spoofing attack refers to a concerted effort by a threat actor or bot to gain access to a system or data using illegally obtained or spoofed login credentials. Humana noticed the attack on June 3, when large numbers of failed login attempts were flagged from foreign IP addresses. Prompt action was taken to obstruct the attack, with the foreign IP addresses prevented from accessing its Humana.com and Go365.com websites on June 4.

Humana stated that “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are expired and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”

The website accounts did not include Social Security numbers or financial data; however, the following range of information could potentially have been downloaded by the hackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account details, balance information, wellness information, and biometric screening information.

Humana has said that it has not uncovered any proof to suggest any members’ data were obtained in the attack; however, as a precaution, all members whose accounts may have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service with non charge. A password reset has been initiated on all accounts.

Humana is, at present, deploying new controls to enhance the security of its websites and has adapted a new system for alerts of successful and failed login attempts.

This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the threat of an attack resulting in unauthorized account access, strong, complex passwords should be implemented for accounts that have not been used on any other account at any time.

It is recommended that two-factor authentication also be activated. This requires an additional piece of information – a code issued to a mobile phone for example – to be entered when an unfamiliar device or IP attempts to obtain access to an account.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter