Thousands of Humana customers have their medical data leaked online by threat actors

Pierluigi Paganini July 22, 2021

Experts found a DB containing sensitive health insurance data belonging to customers of US insurance giant Humana.

An SQL database containing what appears to be highly sensitive health insurance data of more than 6,000 patients has been leaked on a popular hacker forum.

The author of the post claims that the data was acquired from US insurance giant Humana and includes detailed medical records of the company’s health plan members dating back to 2019. The leaked information includes patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, medical treatment data, and more.

The leak comes more than four months after Humana, the third-largest health insurance company in the US, notified 65,000 of its health plan members about a security breach where “a subcontractor’s employee disclosed medical records to unauthorized individuals” between October 12, 2020, and December 16, 2020. In May, one of the patients affected by the breach filed a lawsuit against the company.

On July 18, we reached out to Humana to verify that the data belonged to them, but they have not responded yet.

One of the forum members who downloaded the database claims that the archive contains information from 2020, and not 2019, as suggested by the leaker. If the forum member’s claims are true, the leaked database might potentially be part of the 2020 breach. 

With that said, the data found in the samples posted by the leaker mostly comes from 2019, which may indicate that it has no connection to the former incident and might have been acquired separately.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What was leaked?

The leaked SQL database contains more than 823,000 rows of data divided into 97 tables. Some of the tables appear to store highly sensitive patient information of US-based 6,487 individuals, including:

  • Full names
  • Patient IDs
  • Email addresses
  • Street addresses with ZIP codes
  • Password hashes
  • Privacy policy confirmation statuses
  • Medicare Advantage Plan data
  • Medical treatment data
  • Links to photos and videos, some of which may include patient X-rays, CT scans, insurance document scans 

Examples of leaked data included in the samples:

(Medicare Advantage Plan listings)

(Drug prescription listings)

In addition, the database appears to contain API calls to various functions, all of which include private API keys that could be used by threat actors to access other online services used by Humana and/or its partners.

Who had access to the data?

Since the SQL database was made freely available via a WeTransfer link on July 16, it’s safe to assume that multiple users of the hacker forum where it was posted had access to the data.

The question of how many malicious actors actually accessed it remains, and of that, how many are using that data for their cybercriminal activities. It’s also unclear for how long the database has been in the leaker’s possession before it was posted on the hacker forum.

We notified WeTransfer about the incident and will update the article as soon as the link to the leaked database is removed.

What’s the impact?

With the wealth of highly sensitive personal information contained within this database, a bad actor may be able to:

  • Target patients with spear-phishing and/or spam campaigns
  • File fraudulent insurance claims
  • Use the victims’ health insurance
  • Exploit or extort patients based on their health information
  • Collect, collate, and share this medical data with other malicious actors
  • Commit identity theft

If you’re a customer of Humana, there’s a chance your medical data has been leaked. Give a look here to see recommendations provided by CyberNews researchers:

https://cybernews.com/news/humana-insurance-customers-medical-data-leaked/

About the author: CyberNews Team

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Humana)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment