Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:40 PM
Connect Directly

Humana Breaches Reflect Chronic Credential Theft in Healthcare

A series of 2018 cybersecurity incidents shows credential stuffing is a trend to watch among healthcare organizations.

On Oct. 25, 2018, Bankers Life informed Humana of "unusual activity" affecting its systems. This was among the last breaches Humana disclosed in 2018 but far from the first.

Bankers Life, which does business with the health insurance company, first noticed suspicious activity on Aug. 7, 2018. An investigation with an external forensics investigator revealed that an unknown, unauthorized actor obtained system credentials for Bankers Life employees and gained access to websites where people can log in to apply for Humana healthcare policies, the company recently disclosed

Investigators found the breach affected consumer insurance applications and data within them, including their birthdates, addresses, last four digital of Social Security numbers, and insurance-related data (policy or application numbers, type and cost of coverage, for example). The intruder had access to the data from May 30 through Sept. 13, officials report.

"What is alarming are the timelines of the attack, which show that the attack ran from May through to September," says Garrett O'Hara, principal consultant at Mimecast. "This is not unusual, but does raise questions around what activity was happening in the background."

This incident did not compromise full Social Security numbers, banking or credit card data, or any information about individuals' health or medical care, Humana explained in its breach disclosure. Bankers Life is offering a year of free identity repair and credit monitoring services, and "took steps to further restrict and monitor access to its systems and enhance additional security procedures, including additional training for certain employees," the company said.

"Based on the current reporting, this breach appears to be pretty typical," says Matthew Gardiner, security strategist at Mimecast. "In many cases, the attacker doesn't even know what they are going to do with the stolen data until they steal and evaluate it." It's common, he adds, for cybercriminals to steal data before looking for secondary black market to sell it into.

Credential Compromise is Chronic 

Credential-harvesting attacks have become one of the most prevalent attack types not only in healthcare, but for all organizations, says Gardiner. However, because of legal requirements to report breaches, disclosures disproportionally appear in public from healthcare firms. The rise in online applications, combined with single authentication factors, makes credential theft "a natural stepping stone for cybercriminals" and results in these types of cyberattacks, he adds.

The Bankers Life incident wasn't the first incident of credential stuffing for Humana in 2018. This summer brought a phishing attack to Family Physicians Group (FPG), a firm Humana acquired in April and one of the largest healthcare providers for Medicare and Medicaid patients in Central Florida, as per HIPAA Journal, which says FPG has 22 clinics in the area.

Similar to the Bankers Life incident, this one involved compromised credentials. Investigators analyzing the FPG attack learned an intruder broke into an employee's email account with credentials they were given when an employee responded to a phishing message. The actor(s) broke into the account on Aug. 7, 2018 and continued to have access to it until Aug. 21.

In total, the FPG attack exposed the data of 8,400 patients. Affected information did not include financial data or Social Security numbers. It did include names, birthdates, physicians' names, and health insurance information. FPG so far has no indication the data was abused but had employees change their passwords and took steps to protect email accounts from phishing.

Humana also notified members of a credential-stuffing incident in early July following an attack on Humana.com and Go365.com. In early June, the company detected a "significant increase" in secure login errors after several attempts to log into both Humana and Go365 from foreign countries. Its security operations team blocked the intruding IP addresses on June 4, 2018.

The volume of attacks indicated a "large and broad-based automated attack," reported Jim Theiss, Humana's chief privacy officer, in a letter dated June 21. It seems the attacker had a large amount of user IDs and passwords, and was attempting to see which combinations were valid. The amount of failures shows the ID/password combos didn't come from Humana.

What to Do About It

Dr. Asem Othman, team lead for biometric science at Veridium, says health credentials are worth more than other credentials on the Dark Web. The Bankers Life/Humana breach demonstrates how priviliged access management, like database access, needs to be carefully managed with stronger authentication requirements and approval from administrators and/or supervisors.

Biometric authentication is making its mark in healthcare, says Dr. Othman. For example, patients seek touchless biometrics like FaceID and fingerprint logins. In some operating rooms, periocular (a scan of the eye area) and voice can both prove useful. "Replacing passwords with biometrics will ensure secure yet convenient access to health and insurance records, and provide true identity authentication, preventing leaks of PII as seen in the Bankers Life breach."

While investment in technology for protection is crucial, says O'Hara, people will continue to be weak points in security as both sophisticated and simple social engineering attacks give attackers access to credentials. The value of healthcare data, combined with "traditionally limited budgets" for healthcare's IT and security teams, increases the appeal to attackers.

"The huge downward pressure to do more with less will see legacy medical systems, often out-of-date and unpatched, being used as a stepping stone into more lucrative systems," he adds.

Because of this, he strongly advises end-user education programs to help employees both understand cybersecurity and become invested in protecting the company they work for. Regular and relevant education, while difficult, can help get through to employees.

Humana did not respond to request for comment on this article.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/9/2019 | 7:04:10 AM
User Education
And include C-SUITE EDUCATION too - management has to understand the significance.  Generally does not.  Users are the front line of infections - one lady brought down North Carolina through an infected attachment.  But management has to give this subject the respect and budget it deserves.  Why?  Equifax.  Case closed.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...