Humana Notifying Victims of 'Identity Spoofing' AttackHealth Plan: Large Volume Log-In Attempts Coming From 'Foreign Countries'
Humana is notifying individuals in multiple states that the company was a recent target of a "sophisticated cyber spoofing attack" that potentially compromised personal information of its members, including those participating in the health insurer's Go365 wellness programs.
See Also: Case Study: The Road to Zero Trust
In a breach notification statement, Humana says that on June 3 the company became aware of "a significant increase" in the number of secure login errors that were the result of numerous attempts to access its Humana.com and Go365.com websites from foreign countries.
Humana's cybersecurity operations blocked the offending foreign Internet Protocol addresses from the websites on June 4, says the Louisville, Ky.-based company, which provides medical, dental, wellness, and other health plans to millions of members in the U.S.
"The volume of login attempts to Humana.com and/or Go365.com on June 3 and June 4 suggested that a large and broad-based automated attack had been launched," Humana says.
"The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers and corresponding passwords that were being inputted with the intention of identifying which might be valid on Humana.com and/or Go365.com," Humana says.
"The excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana. Humana blocked the foreign addresses by June 4. Based on the facts, Humana has determined this to be an identity spoofing event."
Information potentially viewed or accessed as a result of the attacks include medical, dental and vision claims, including services performed, provider name, dates of service, charge and paid amounts; spending account information such as health saving account spending and balance information; and wellness information, including biometric screening information, Humana says.
Social security and bank account numbers were not disclosed as a result of the attacks because that data is not available for display on the Humana web portals, the company adds.
Humana is offering one year of free identity and credit monitoring to affected individuals.
Humana did not immediately respond to an Information Security Media Group inquiry, including the estimated number of individuals whose protected health information was potentially impacted.
As of July 2, the incident was not posted on the U.S. Department of Health and Human Services' "wall of shame" HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
Brute Force Attempts?
Keith Fricke, principle consultant at tw-Security says the activity Humana described as identity spoofing is a combination of reconnaissance and brute force log in attempts - methods cyber criminals use to gain unauthorized access to systems and networks.
"It seems that the attacks were testing access against a list of possible login accounts, likely with a list of passwords to try," he says.
"Some software tools exist to carry out these attacks - some are freely available, others are commercial products. Security professionals may use these tools to test the security of their networks and systems, as part of their organization's information security risk management program," he notes.
So, were the user IDs and passwords used by the Humana attackers potentially stolen from earlier breaches or attacks on Humana or other entities?
In its statement, Humana claims that the "password combinations did not originate from Humana."
However, David Finn, executive vice president at security consulting firm CynergisTek notes it is "safe to assume" that the credentials used in the Humana attacks were stolen credentials from one or more other attacks, potentially impacting other organizations.
"It may even be that they obtained data from multiple sources and then cross-referenced it to enhance their 'hit rate,'" he says. "The bad guys are very clever at collecting, analyzing, using and re-using data."
Fricke notes that the description from Humana sounds as though the attackers "may not have had an actual list of username accounts, but rather were trying a list of accounts and examining responses from the targeted systems."
He adds: "For each 'guessed' user account, many password attempts may have been made. It is possible that the criminals had a list of valid user accounts and were testing sets of passwords against them. It is not known where the criminals may have gotten a hold of these accounts."
Overall, identity spoofing is a "very broad category" of attack, notes Finn, a former healthcare system CIO.
"Personally, I think a lot of identity spoofing of one form is related to other ID spoofing attacks that expand in breadth and depth. A targeted spear phishing attack that appears to come from a legitimate company or your own help desk may be used to collect user-IDs and passwords, for example," he notes.
"Then, those credentials would be used to gain access to other accounts either at the company where they were obtained or, because we all tend to reuse those credentials, at other locations."
Unfortunately, the healthcare industry continues to be hard hit by identity spoofing attacks, he adds.
"This is a powerful technique in unethically or illicitly collecting information and in delivering malicious payloads - ranging from business email compromise ... to collecting and using legitimate but stolen credentials of actual users."
—David Finn, CynergisTek
"This is a powerful technique in unethically or illicitly collecting information and in delivering malicious payloads - ranging from business email compromise ... to collecting and using legitimate but stolen credentials of actual users," he says.
"They look like legitimate emails from important people or vendors so if they can get into the right email box, they are likely to get clicked on. In this case, the 'bad guys' had apparently collected a large number of user IDs and were attempting to gain access to the actual user's accounts."
Steps to Take
While brute force and other "identity spoofing" attacks are certainly not unique to the healthcare sector, experts says there are measures entities can take to prevent falling victim to these assaults.
"Make sure systems have account lockout after failed login accounts enabled, especially for Internet-facing systems," Fricke says.
In addition, systems should record failed login attempts. "Logging systems should send alerts to system administrators when the number of failed logins exceeds a threshold outside of the normal baseline," Fricke suggests.
Also, "block incoming Internet traffic from foreign countries with whom an organization does not do business," he adds.
For the type of attack at Humana, Finn notes other steps that entities can take:
- Using authentication based on key exchange between the machines on an organization's network or multi-factor authentication for remote access;
- Using an access control list to deny private IP addresses on downstream interfaces;
- Implementing filtering of both inbound and outbound traffic;
- Configuring routers and switches - if possible - to reject packets originating from outside an organization's local network that claim to originate from within;
- Enabling encryption sessions on an organization's router so that trusted hosts outside its network can securely communicate with its local hosts.
Finn also notes that the Domain-based Message Authentication, Reporting & Conformance - or DMARC - standard "is very effective" in fighting email ID spoofing attacks.
For its part, Humana says it has taken measures following the attack, as well. That includes implementing controls such as forcing a password reset, deploying new alerts of successful and failed logins and locked accounts as well as deploying a series of technical controls to enhance web portal security.
"Humana has determined there is no evidence that any data was removed from Humana systems and Humana cybersecurity operations continues to monitor the situation," the company says.