Humana Discloses Third-Party Data Breach at Choice Health

September 27, 2022 - Humana disclosed a third-party data breach to the Maine Attorney General’s Office that impacted 22,767 individuals. The breach originated at Choice Health, which sells Medicare products on Humana’s behalf.

On May 14, Choice Health learned “that an unauthorized person was offering to make data available that was allegedly taken from a Choice Health database,” Humana’s notice stated.

Further investigation determined that a single Choice Health database was accessible through the internet due to a security misconfiguration caused by a third-party service provider. The unauthorized party accessed the database and obtained certain files on May 7.

“At the time, Choice Health believed the affected data was comprised solely of lead generation and marketing information that belonged exclusively to Choice Health and not to any of their carrier partners,” the notice continued.

However, in July, Choice Health determined that the impacted data included carrier partner information, including that of Humana members.

The unauthorized party obtained data containing first names, Social Security numbers, dates of birth, addresses, health insurance information, contact information, and Medicare beneficiary identification numbers.

“Upon learning of the incident, Choice Health worked with their third-party service provider to reconfigure the security settings on the database,” the notice stated.

“The database is no longer accessible through the Internet. Choice Health has also taken steps to enhance their data security measures to prevent the occurrence of a similar event in the future, including requiring multi-factor authentication for all access to database files.”

Choice Health and Humana recommended that individuals remain vigilant against instances of fraud or identity theft by monitoring credit reports and reviewing account statements.