Business associate causes a breach for Humana, affecting 5,569

Humana has notified 5,569 members that a limited amount of their protected health information may have been compromised.

Unauthorized third parties posing as physician provider groups registered on one of Humana’s authorized vendors—Availity—the web portal of which providers use to check eligibility and benefits for multiple health plans.

The hackers requested eligibility and benefit verification of health plan members by using certain personal information they already had in their possession.

Humana executives say they have no reason to believe the information was obtained from Humana or Availity, and the breach was complex in nature and affected other health insurers—suggesting that other payers may soon be issuing similar notices.

Humana-HQ-CROP.jpg
Signage is displayed outside the Humana Inc. office building in Louisville, Kentucky, U.S., on Saturday, Nov. 26, 2016. The Justice Department sued in July to block the union of Aetna Inc. and Humana Inc., saying they would reduce the number of large, national health care insurance providers, leading to increased costs for their clients. Photographer: Luke Sharrett/Bloomberg

Also See: Bitglass blames hacking, IT incidents as main reasons for breaches

Investigations found a series of data breaches stretching from Jan. 15, 2016, to Nov. 7, 2018. Exposed data included patient names, Humana member identification numbers, plan effective dates, benefit information, care reminders for lab tests or other treatments.

Full Social Security numbers, banking and credit card information were not compromised.

Humana is expressing regrets for any concern the incident may have caused members and is offering one year of credit monitoring and identity theft protection through Equifax. Members also are being advised to check for changes in explanation of benefit letters, or medical records they do not recognize and contact Humana immediately.

After the incidents, Availity has strengthened its security process by adding additional access requirements and enhanced monitoring.

For reprint and licensing requests for this article, click here.