Humana Inc., one of the largest health insurance providers in the United States, has disclosed a data breach affecting customers across Texas, Florida, Georgia, North Carolina, Ohio, and Virginia. The Louisville, Kentucky-based insurer confirmed that unauthorized actors accessed its systems in August 2025 by exploiting a vulnerability in a third-party vendor's software. The breach was discovered in September and publicly disclosed Wednesday. Humana has not yet released a victim count, and the incident has not appeared on the Texas Attorney General's data breach tracker as of disclosure.

What Happened

Humana stated that unauthorized users gained access to its systems in August 2025 through a vulnerability in software provided by an unnamed third-party vendor. The intrusion went undetected for approximately a month before Humana identified the compromise in September. Upon discovery, the company patched the vulnerable software and notified law enforcement. The breach affects an undisclosed number of customers across six states where Humana provides Medicare Advantage, Medicaid, military Tricare, prescription, dental, and vision coverage. This disclosure follows a separate incident last month in which Humana and its vendor CenterWell Certified Healthcare Corp. were hit with a federal class action lawsuit over data security failures, where 4,618 individuals were confirmed affected per the Texas AG's tracker.

What Was Taken

According to Humana's breach notification, the exposed information varied by individual but included a sensitive combination of identifiers and protected health information:

• Full names
• Humana Identification numbers and other patient account numbers
• Social Security numbers
• Medical billing and claims information
• Dates of service
• Provider names
• Other health insurance information

This combination constitutes a near-complete identity package, sufficient for medical identity theft, insurance fraud, tax fraud, and downstream social engineering against affected individuals and their healthcare providers.

Why It Matters

Humana sits at the center of critical healthcare infrastructure for tens of millions of Americans, including 4.6 million military members, veterans, and family members served through its Humana Military subsidiary, which manages Tricare East. The exposure of SSNs alongside medical claims data creates lasting risk that cannot be remediated by credit monitoring alone. Stolen medical records routinely sell for higher prices than payment card data on illicit markets because they enable insurance fraud schemes that can persist undetected for years. The repeat nature of Humana's vendor-related breaches, with this incident following the CenterWell disclosure by weeks, underscores a systemic third-party risk problem within the insurer's supply chain that defenders across the healthcare sector should treat as a warning indicator.

The Attack Technique

Humana attributed the intrusion to a "vendor's software vulnerability," indicating an upstream supply chain compromise rather than a direct attack on Humana's own perimeter. The vendor and specific CVE have not been publicly identified. The roughly 30-day dwell time between initial access in August and detection in September is consistent with patterns seen in opportunistic exploitation of unpatched third-party SaaS or healthcare-adjacent software, where attackers harvest data quietly rather than deploy ransomware. No threat actor has claimed responsibility, and Humana has not characterized the activity as ransomware or extortion-driven.

What Organizations Should Do

• Inventory all third-party vendors with access to PHI or PII and require evidence of patching SLAs, vulnerability disclosure processes, and breach notification timelines in contracts.
• Apply continuous monitoring to vendor-facing integrations, including API gateways, file transfer services, and SaaS connectors, to detect anomalous data egress patterns indicative of upstream compromise.
• Enforce least-privilege access for vendor accounts and segment vendor-accessible systems from core claims and member databases to limit blast radius.
• Implement data loss prevention controls tuned for HIPAA-regulated data classes, particularly bulk exports of claims, billing, and member identifier records.
• For affected individuals, place fraud alerts or credit freezes with all three bureaus, monitor explanation-of-benefits statements for unfamiliar claims, and request medical record audits from providers.
• Healthcare CISOs should review the OCR breach portal and state AG trackers weekly for vendor names appearing in their own supply chain to detect lateral exposure early.

Sources: Data breach hits Humana customers in Texas, five other states