July 11, 2018
Humana is getting in touch with members throughout the US to inform them that their PHI might have been retrieved during a ‘sophisticated’ deceiving campaign.
A deceiving attack refers to a concentrated attempt by a threat actor or bot to gain access to a system or data utilizing unlawfully obtained or spoofed login identifications. Humana detected the attack on June 3, when large quantities of unsuccessful login attempts were marked from foreign IP addresses. Swift action was taken to stop the attack, with the foreign IP addresses avoided from retrieving its Humana.com and Go365.com websites on June 4.
Humana declared that “the type of the attack and noted behaviors showed the attacker had a big database of user identifiers (IDs).” It’s possible the login identifications are invalidated and that they were obtained in a different third-party breach, even though Humana notices that “the excessive number of login failures strongly indicates the ID and password groupings didn’t originate from Humana.”
The website accounts didn’t contain financial data or Social Security numbers; however, the following kind of information might possibly have been downloaded by the hackers: Details of dental, medical, and vision claims, wellness information, balance information, spending account details, paid amounts, charged amounts, services performed, dates of service, provider name, and biometric screening information.
Humana has stated that it has not received any evidence to indicate any members’ data were obtained in the attack; nevertheless, as a protection, all members whose accounts might have been retrieved have been offered 12 months of credit checking and identity theft protection facilities through the Equifax Credit Watch Gold service without charge. A password reset has been started on all accounts.
Humana is, presently, installing new controls to increase the safety of its websites and has adopted a new system for warnings of successful and failed login efforts.
This attack might just be a brute force attempt to gain access to users’ accounts with only a username gotten in an earlier breach and a list of probable passwords. To decrease the danger of an attack leading to illegal account access, strong, difficult passwords should be employed for accounts that haven’t been used on any other account at any time.
It is suggested that two-factor verification is also activated. This needs an additional bit of information – a code provided to a mobile phone for instance – to be entered when an unknown appliance or IP attempts to get access to an account.