Humana is alerting members in a number of states that their PHI may have been accessed during a ‘sophisticated’ spoofing attack.
A spoofing attack happens when a threat actor or bot try to gain access to a system or data using stolen or spoofed login credentials. Humana noticed the attack on June 3, when large numbers of failed login attempts were noticed from foreign IP addresses. Swift action was taken to prevent the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4.
Humana said that: “The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”
The website accounts did not include Social Security numbers or financial data; however, the following sort of information could potentially have been accessed by the hackers: Details of medical, dental, and vision claims, supplier name, dates of service, services performed, charge amounts, paid amounts, spending account information, balance details, wellness information, and biometric screening info.
Humana says it has not found any evidence to suggest any members’ data were obtained in the attack; however, as a precaution, all members whose accounts could possible have been accessed have been offered 12 months free credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. A password reset has been carried out on all accounts.
Humana is, at present, deploying new controls to improve the security of its websites and has put in place a new system for alerts of successful and failed login efforts.
This attack may just be a massive attempt to obtain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To minimize the potential for such an attack resulting in unauthorized account access, strong, complex passwords should be used for accounts that have not been used on any other account before.
Two-factor authentication should also be enabled if possible. This requires another piece of information – a code issued to a mobile phone for instance – to be entered when an unfamiliar device or IP attempts to obtain access to an account.