Health insurer Humana recently began notifying an unspecified number of health plan members after detecting and blocking a credential stuffing attack against Humana.com and Go365.com. The attacks took place on June 3 and June 4 from overseas IP addresses.
In a notification letter dated June 21, Jim Theiss, Humana’s Chief Privacy Officer, writes:
On June 3, 2018 Humana was the target of a sophisticated cyber spoofing attack that occurred on Humana.com and Go365.com. Your personal information on these websites may have been accessed by the attackers.
On June 3, 2018 Humana became aware of a significant increase in the number of secure log in errors that were the result of numerous attempts to log into Humana.com and/or Go365.com from foreign countries. Humana Cyber Security Operations blocked the offending foreign Internet Protocol (IP) addresses from the websites on June 4, 2018.
The volume of log in attempts to Humana.com and/or Go365.com on June 3, 2018 and June 4, 2018 suggested that a large and broad-based automated attack had been launched. This was evidenced by the volume of log in attempts coming from a foreign country. The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs) and corresponding passwords that were being inputted with the intention of identifying which might be valid on Humana.com and/or Go365.com. The excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana. Humana blocked the foreign addresses by June 4, 2018
In response to the incident, Humana took a number of steps, including forcing a password reset, deploying new alerts of successful and failed logins and locked accounts, as well as deploying a series of technical controls to enhance web portal security. They are also offering members an identity theft protection product for one year.
Of note, Humana informed members that
Humana has determined there is no evidence that any data was removed from Humana systems.
This incident does not yet appear on HHS’ public breach tool. When it does, we will have a number of affected members.