Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:40 PM
Connect Directly

Humana Breaches Reflect Chronic Credential Theft in Healthcare

A series of 2018 cybersecurity incidents shows credential stuffing is a trend to watch among healthcare organizations.

On Oct. 25, 2018, Bankers Life informed Humana of "unusual activity" affecting its systems. This was among the last breaches Humana disclosed in 2018 but far from the first.

Bankers Life, which does business with the health insurance company, first noticed suspicious activity on Aug. 7, 2018. An investigation with an external forensics investigator revealed that an unknown, unauthorized actor obtained system credentials for Bankers Life employees and gained access to websites where people can log in to apply for Humana healthcare policies, the company recently disclosed

Investigators found the breach affected consumer insurance applications and data within them, including their birthdates, addresses, last four digital of Social Security numbers, and insurance-related data (policy or application numbers, type and cost of coverage, for example). The intruder had access to the data from May 30 through Sept. 13, officials report.

"What is alarming are the timelines of the attack, which show that the attack ran from May through to September," says Garrett O'Hara, principal consultant at Mimecast. "This is not unusual, but does raise questions around what activity was happening in the background."

This incident did not compromise full Social Security numbers, banking or credit card data, or any information about individuals' health or medical care, Humana explained in its breach disclosure. Bankers Life is offering a year of free identity repair and credit monitoring services, and "took steps to further restrict and monitor access to its systems and enhance additional security procedures, including additional training for certain employees," the company said.

"Based on the current reporting, this breach appears to be pretty typical," says Matthew Gardiner, security strategist at Mimecast. "In many cases, the attacker doesn't even know what they are going to do with the stolen data until they steal and evaluate it." It's common, he adds, for cybercriminals to steal data before looking for secondary black market to sell it into.

Credential Compromise is Chronic 

Credential-harvesting attacks have become one of the most prevalent attack types not only in healthcare, but for all organizations, says Gardiner. However, because of legal requirements to report breaches, disclosures disproportionally appear in public from healthcare firms. The rise in online applications, combined with single authentication factors, makes credential theft "a natural stepping stone for cybercriminals" and results in these types of cyberattacks, he adds.

The Bankers Life incident wasn't the first incident of credential stuffing for Humana in 2018. This summer brought a phishing attack to Family Physicians Group (FPG), a firm Humana acquired in April and one of the largest healthcare providers for Medicare and Medicaid patients in Central Florida, as per HIPAA Journal, which says FPG has 22 clinics in the area.

Similar to the Bankers Life incident, this one involved compromised credentials. Investigators analyzing the FPG attack learned an intruder broke into an employee's email account with credentials they were given when an employee responded to a phishing message. The actor(s) broke into the account on Aug. 7, 2018 and continued to have access to it until Aug. 21.

In total, the FPG attack exposed the data of 8,400 patients. Affected information did not include financial data or Social Security numbers. It did include names, birthdates, physicians' names, and health insurance information. FPG so far has no indication the data was abused but had employees change their passwords and took steps to protect email accounts from phishing.

Humana also notified members of a credential-stuffing incident in early July following an attack on Humana.com and Go365.com. In early June, the company detected a "significant increase" in secure login errors after several attempts to log into both Humana and Go365 from foreign countries. Its security operations team blocked the intruding IP addresses on June 4, 2018.

The volume of attacks indicated a "large and broad-based automated attack," reported Jim Theiss, Humana's chief privacy officer, in a letter dated June 21. It seems the attacker had a large amount of user IDs and passwords, and was attempting to see which combinations were valid. The amount of failures shows the ID/password combos didn't come from Humana.

What to Do About It

Dr. Asem Othman, team lead for biometric science at Veridium, says health credentials are worth more than other credentials on the Dark Web. The Bankers Life/Humana breach demonstrates how priviliged access management, like database access, needs to be carefully managed with stronger authentication requirements and approval from administrators and/or supervisors.

Biometric authentication is making its mark in healthcare, says Dr. Othman. For example, patients seek touchless biometrics like FaceID and fingerprint logins. In some operating rooms, periocular (a scan of the eye area) and voice can both prove useful. "Replacing passwords with biometrics will ensure secure yet convenient access to health and insurance records, and provide true identity authentication, preventing leaks of PII as seen in the Bankers Life breach."

While investment in technology for protection is crucial, says O'Hara, people will continue to be weak points in security as both sophisticated and simple social engineering attacks give attackers access to credentials. The value of healthcare data, combined with "traditionally limited budgets" for healthcare's IT and security teams, increases the appeal to attackers.

"The huge downward pressure to do more with less will see legacy medical systems, often out-of-date and unpatched, being used as a stepping stone into more lucrative systems," he adds.

Because of this, he strongly advises end-user education programs to help employees both understand cybersecurity and become invested in protecting the company they work for. Regular and relevant education, while difficult, can help get through to employees.

Humana did not respond to request for comment on this article.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/9/2019 | 7:04:10 AM
User Education
And include C-SUITE EDUCATION too - management has to understand the significance.  Generally does not.  Users are the front line of infections - one lady brought down North Carolina through an infected attachment.  But management has to give this subject the respect and budget it deserves.  Why?  Equifax.  Case closed.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...