Humana is letting members know that in certain states that an advanced spoofing attack possibly compromised their protected health information (PHI).
A spoofing attack is an effort by a bot or threat actor to access a program or information by using stolen or spoofed login information. Humana noticed the attack on June 3, because of a lot of unsuccessful login attempts had been recorded from foreign IP addresses. Quick action was done prohibit the attack. The foreign IP addresses were blacklisted from being able to access Go365.com and Humana.com websites on June 4, 2018.
Humana believes that the attacker had a huge database of user IDs because of the detected actions. It is probable the account login information are outdated and the attacker obtained them from a different third-party breach, though Humana also says that the large number of log in attempt failures clearly implies the pairing of ID and password were not from Humana.
The accounts in the website didn’t keep financial information or Social Security numbers; nonetheless, these types of info may have been seen by the hackers: Data on medical, dental, and vision claims, medical insurance provider name, service dates, services performed, bill amounts, paid amounts, spending account data, balance details, health care information, and biometric screening facts.
Humana states that there is no discovered evidence that indicates any members’ information were compromised in the data breach; nonetheless, as a preventative measure, users whose accounts could have been accessed were given one year of complimentary credit monitoring and identity theft protection services via the Equifax Credit Watch Gold service. All account passwords were also reset for safety reasons.
Humana is now employing new settings to boost the defenses of its sites and has executed a new system for status updates of failed and successful access attempts.
This attack might just be a brute force attempt to enter into accounts of users using just a username acquired from a preceding breach and a record of potential passwords. To decrease the opportunity of such an attack allowing unauthorized entry, strong, complicated passwords need to be utilized for accounts which have not been used previously on another account.
When possible, two-factor authentication must also be turned on. This calls for an extra piece of data – a code delivered to a mobile phone for example – to be inputted when an unknown device or IP makes an attempt to enter into an account.