Humana web sites hit by sophisticated data attack

Register now

Health insurer Humana has notified an undisclosed number of members about a data breach after it uncovered a sophisticated cyber spoofing attack on the web site and its wellness site.

The attack, discovered on June 3, apparently came from one or more undisclosed foreign nations, Humana told affected individuals in its patient notification letter.

“Your personal information on these websites may have been accessed by the attackers,” wrote Jim Theiss, chief privacy officer at Humana, in a June 21 letter to members who potentially could be affected by the attack.

However, the insurer also noted there is no evidence that any data was removed from Humana systems.

On June 3 the insurer discovered significant increases in the number of secure log-in errors that were deemed to be attacks to get onto the Humana web sites. On June 4, the email addresses that were being used to try to gain access were blocked from the web sites.

The volume of login attempts to both web sites suggested a large and broad-based automated attack in progress, according to Humana.

“The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers and corresponding passwords that were being inputted with the intention of identifying which might be valid on and/or,” Humana’s letter indicates. “The excessive number of login failures strongly suggests the ID and password combinations did not originate from Humana.”

Also See: Med Associates hit by hack, data of 270,000 compromised

Security improvements since the incident include forcing a password reset, deploying new alerts of successful and failed logins, and enhanced security of the web portals.

Members can use Humana’s web site for a variety of reasons, such as checking the status of provider claims. Its wellness site enables members who are living a heathier lifestyle to be rewarded with gift cards, movie tickets and other incentives.

While Humana has not disclosed the number of affected individuals, the number soon will be publicly posted on the HHS Office for Civil Rights data breach website. Humana is offering one year of identity theft protection services from an unnamed vendor to affected individuals.

Information on previous breaches Humana has submitted to OCR include unauthorized access to a network server submitted in November 2017 and affecting 5,764 individuals; hacking of a network server submitted in April 2017 and affecting 3,831 individuals; and unauthorized disclosure of paper or films submitted in December 2016 and affecting 3,674 individuals.

Humana declined to provide additional details about the most recent incident.

For reprint and licensing requests for this article, click here.