Sophisticated Cyber Spoofing Attack Reported by Humana

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack.

A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its and websites on June 4.

Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”

The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been accessed by the attackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account information, balance information, wellness information, and biometric screening data.

Humana says it has not uncovered any evidence to suggest any members’ data were stolen in the attack; however, as a precaution, all members whose accounts could potentially have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. A password reset has been performed on all accounts.

Humana is currently deploying new controls to improve the security of its websites and has implemented a new system for alerts of successful and failed login attempts.

This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the potential for such an attack resulting in unauthorized account access, strong, complex passwords should be used for accounts that have not previously been used on any other account.

If possible, two-factor authentication should also be activated. This requires an additional piece of information – a code sent to a mobile phone for instance – to be entered when an unfamiliar device or IP attempts to gain access to an account.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.