Humana is contacting members across the US to notify them that their PHI may have been been accessed during a ‘sophisticated’ spoofing campaign.
A spoofing attack refers to a concerted effort by a threat actor or bot to gain access to a system or data using illegally obtained or spoofed login credentials. Humana noticed the attack on June 3, when large numbers of failed login attempts were flagged from foreign IP addresses. Prompt action was taken to obstruct the attack, with the foreign IP addresses prevented from accessing its Humana.com and Go365.com websites on June 4.
Humana stated that “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are expired and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”
The website accounts did not include Social Security numbers or financial data; however, the following range of information could potentially have been downloaded by the hackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account details, balance information, wellness information, and biometric screening information.
Humana has said that it has not uncovered any proof to suggest any members’ data were obtained in the attack; however, as a precaution, all members whose accounts may have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service with non charge. A password reset has been initiated on all accounts.
Humana is, at present, deploying new controls to enhance the security of its websites and has adapted a new system for alerts of successful and failed login attempts.
This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the threat of an attack resulting in unauthorized account access, strong, complex passwords should be implemented for accounts that have not been used on any other account at any time.
It is recommended that two-factor authentication also be activated. This requires an additional piece of information – a code issued to a mobile phone for example – to be entered when an unfamiliar device or IP attempts to obtain access to an account.