Humana is notifying an undisclosed number of members across several states to a potential compromise of their health information after it discovered a "sophisticated cyber spoofing attack" on two of its websites June 3.
A spoofing attack involves a third party actor — human or bot — who attempted to gain access to a system using stolen or fake credentials. Humana discovered the attack after detecting a large number of failed logins using foreign IP addresses, which attempted to access its Humana.com and Go365.com websites. The incident was contained by June 4.
The website accounts did not store members' Social Security numbers or financial information, although data such as medical, dental and vision claims, spending account information and biometric screening data were potentially compromised.
Humana has not found any evidence that any members' data were stolen in the attack, but as a precaution, it is offering affected individuals 12 months of credit monitoring and identity theft protection services. All accounts have undergone a password reset.
The insurer said "the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs)." The login credentials were possibly old and could have been obtained in a separate third-party breach. However, Humana claims "the excessive number of login failures strongly suggests the ID and password combinations did not originate from Humana."
More articles on payers:
U of Mississippi Medical Center hospital bills could be up to 29 times higher for BCBS members if contract ends
10 things to know about Oscar Health: A view of the company 6 years after its founding
Starbucks unveils comprehensive healthcare policy for transgender employees