Humana websites hit by sophisticated spoofing attack from 'foreign countries'

• The compromised sites included Humana.com and wellness site Go365.com.
• The firm blocked the fraud IP addresses used to infiltrate the sites.

Health insurer Humana has disclosed it suffered a data breach after uncovering a sophisticated cyber spoofing attack on its official Humana and Go365 wellness websites.

The company said it discovered the attack on June 3, stating that it came from overseas IP addresses. Humana said they detected a significant increase in the number of secure login errors that were apparently part of a credential stuffing attack used by the hackers to infiltrate the websites. The next day, the offending foreign IP addresses used to gain access to the sites were blocked, the company said.

“The volume of login attempts to Humana.com and/or Go365.com on June 3, 2018 and June 4, 2018 suggested that a large and broad-based automated attack had been launched,” Humana’s Chief Privacy Officer Jim Theiss said in a notification letter dated June 21. “This was evidenced by the volume of login attempts coming from a foreign country.

"The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs) and corresponding passwords that were being inputted with the intention of identifying which might be valid on Humana.com and/or Go365.com.”

Humana said it has since taken several measures to mitigate the breach.

Customers have been notified about the incident with affected users offered one year of free identity theft protection services.

Data compromised

The insurer said customers' personal information on the targeted websites "may have been accessed by the attackers." However, it said there is currently no evidence that any data was removed from Humana's systems.

Since the discovery of the incident, the company has forced a password reset and is deploying new alerts of successful and failed logins in addition to enhancing the security of its systems

Humana has not disclosed the number of affected individuals. However, the number of affected individuals will soon be publicly posted on the HHS Office for Civil Rights Data breach website.

This is not the first time that Humana has been targeted by hackers.

In December 2016, Humana reported a breach affecting 3674 individuals due to an unauthorized disclosure of paper or films submitted. In April 2017, a network server hack resulted in the data theft of 3831 customers. Again in November 2017, unauthorized access to a network server affected a total of 5,764 individuals.