July 5, 2018
Humana is informing members in numerous states that their PHI has possibly been retrieved during a ‘modern’ deceiving attack.
A deceiving attack is an attempt by a threat actor or bot to gain access to a system or data utilizing thieved or deceived login identifications. Humana became conscious of the attack on June 3, when large numbers of unsuccessful login attempts were found from overseas IP addresses. Swift action was taken to obstruct the attack, with the overseas IP addresses obstructed from retrieving its Humana.com and Go365.com websites on June 4.
Humana indicates “the type of the attack and studied behaviors showed the attacker had a big database of user identifiers (IDs).” It is possible the login identifications are old and that they were gotten in a distinct third-party breach, even though Humana notices that “the excessive number of login failures clearly indicates the ID and password groupings didn’t emanate from Humana.”
The website accounts didn’t have financial information or Social Security numbers; nevertheless, the following kinds of information might possibly have been retrieved by the attackers: Details of medical, dental, and vision claims, balance information, spending account information, paid amounts, charge amounts, services performed, dates of service, provider name, wellness information, and biometric screening data.
Humana says it has not found any proof to indicate any members’ data were thieved in the attack; nevertheless, as a safety measure, all members whose accounts might possibly have been retrieved have been offered 12 months of credit checking and identity theft safety facilities through the Equifax Credit Watch Gold facility. A password reset has been carried out on all accounts.
Humana is presently arranging new controls to improve the safety of its websites and has applied a new system for warnings of successful and failed login tries.
This attack might just be a brute force attempt to gain access to users’ accounts with only a username gotten in an earlier breach and a list of probable passwords. To decrease the possibility for such an attack leading to illegal account access, tough, complicated passwords must be used for accounts that have not earlier been used on any other account.
If possible, two-factor verification should also be activated. This needs an additional bit of information – a code sent to a mobile phone for example – to be entered when an unknown device or IP tries to gain access to an account.