Managed health care provider Humana said an unauthorized third party accessed system credentials of some employees at health insurance company Bankers Life, exposing “limited, personal information” of people who had applied for a Humana policy.

In a breach notification filing with the California Attorney General’s Office, Humana said the miscreants had access to names, addresses, birth dates, the last four digits of Social Security numbers and some information on policies, including policy type, cost and number.

This incident, which Humana said occurred between May 30 and Sept. 13, 2018, “did not involve any unauthorized access to other types of information, such as full Social Security number, banking or credit card information or information about your health or medical care,” but urged customers to be on the lookout for potential abuses of their data.

“Defending against credential-based attacks is one of the most difficult challenges that organizations face today. When malicious actors get access to trusted insiders’ credentials, they are able to access systems, leap from server to server, and find their way to troves of sensitive information,” said Armaan Mahbod, manager of the Insider Threat Analyst Team at Dtex Systems.
“Unfortunately, human error is exposing credentials at alarming rates.”

While “visibility is a huge buzzword” that gets tossed around as a solution to preventing attacks, Mahbod said that “simple visibility isn’t sufficient when it comes to detecting credential-based attacks. Organizations need context-aware capabilities in order to understand when credentials are being misused.”