Humana Reports Cyber Spoofing Attack

by | Jul 9, 2018

Humana is contacting members across the US to notify them that their PHI may have been been accessed during a ‘sophisticated’ spoofing campaign.

A spoofing attack refers to a concerted effort by a threat actor or bot to gain access to a system or data using illegally obtained or spoofed login credentials. Humana noticed the attack on June 3, when large numbers of failed login attempts were flagged from foreign IP addresses. Prompt action was taken to obstruct the attack, with the foreign IP addresses prevented from accessing its and websites on June 4.

Humana stated that “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are expired and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”

The website accounts did not include Social Security numbers or financial data; however, the following range of information could potentially have been downloaded by the hackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account details, balance information, wellness information, and biometric screening information.

Humana has said that it has not uncovered any proof to suggest any members’ data were obtained in the attack; however, as a precaution, all members whose accounts may have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service with non charge. A password reset has been initiated on all accounts.

Humana is, at present, deploying new controls to enhance the security of its websites and has adapted a new system for alerts of successful and failed login attempts.

This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the threat of an attack resulting in unauthorized account access, strong, complex passwords should be implemented for accounts that have not been used on any other account at any time.

It is recommended that two-factor authentication also be activated. This requires an additional piece of information – a code issued to a mobile phone for example – to be entered when an unfamiliar device or IP attempts to obtain access to an account.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy