Cyber Incident Victim: Humana

On June 3, 2018, Humana detected a credential stuffing attack targeting its Humana.com and Go365.com websites, characterized by a significant surge in secure login errors originating from overseas IP addresses. The attack persisted through June 4, with automated attempts to authenticate using large volumes of user IDs and passwords, indicating the attackers possessed a precompiled database of credentials not sourced from Humana’s systems. Humana’s Cyber Security Operations identified the foreign IP addresses responsible for the login attempts and blocked them by June 4, 2018. The scale and automated nature of the attack, coupled with its international origin, led Humana to classify it as a sophisticated cyber spoofing incident. While the attackers potentially accessed personal information through compromised accounts during the attack window, Humana found no evidence that data was exfiltrated or removed from its systems. The company did not disclose the exact number of affected members in its June 21 notification.

In response, Humana initiated forced password resets for impacted accounts and implemented enhanced security measures, including new alert systems for successful and failed logins and account lockouts. The company deployed additional technical controls to strengthen the security of its web portals. Affected members received notification letters from Chief Privacy Officer Jim Theiss, outlining the incident and Humana’s mitigation steps. As a remedial measure, Humana offered one year of identity theft protection to impacted individuals. The incident was not yet listed on the U.S. Department of Health and Human Services’ public breach tool at the time of the notification. Humana emphasized its proactive containment of the attack within two days and reiterated that the compromised credentials were not obtained from its own infrastructure.