Humana and Centerwell Hit by Clop Ransomware Attack in August 2025
Humana confirmed a data breach in August 2025, exposing sensitive personal and medical information of an undisclosed number of individuals. Compromised data includes names, Social Security numbers, medical billing details, claims info, provider names, Humana ID numbers, patient account numbers, and health insurance data. Subsidiary Centerwell also began notifying affected individuals this month, with Texas reporting 4,618 impacted residents.
The cybercriminal group Clop claimed responsibility for the breach, though Humana has not confirmed the attribution. The attack stemmed from a vendor’s software vulnerability, which Clop has exploited in other incidents, including a flaw in Oracle’s E-Business Suite. Humana is offering affected individuals 24 months of free credit monitoring and identity restoration services through Equifax, with an enrollment deadline of March 31, 2027.
Clop, active since 2019, specializes in zero-day exploits and often steals data without encryption, demanding ransom to prevent leaks. In 2025, the group claimed 456 attacks, with 35 confirmed, including breaches at Parexel International and Barts Health NHS Trust. The Oracle vulnerability alone accounted for 119 claims, 29 of which were verified.
The breach adds to a rising trend of ransomware attacks on U.S. healthcare entities. Comparitech recorded 31 confirmed attacks in 2025 on non-direct-care healthcare businesses, exposing data of over 196 million people. Other recent incidents include breaches at Catalyst RCM (claimed by Everest) and Resource Corporation of America (targeted by Medusa for an $800,000 ransom).
Humana, the fourth-largest U.S. health insurer, has faced prior scrutiny over fraud allegations and AI-driven Medicare claim denials. Centerwell, its subsidiary, provides pharmacy, senior care, and home health services. Both companies now face a class-action lawsuit alleging inadequate data protection.
Source: https://www.comparitech.com/news/humana-warns-patients-of-data-breach-that-leaked-ssns-medical-info/
Humana cybersecurity rating report: https://www.rankiteo.com/company/humana
Future Cardia cybersecurity rating report: https://www.rankiteo.com/company/oracle-health
Health Catalyst cybersecurity rating report: https://www.rankiteo.com/company/healthcatalyst
CenterWell cybersecurity rating report: https://www.rankiteo.com/company/centerwell
"id": "HUMORAHEACEN1774290394",
"linkid": "humana, oracle-health, healthcatalyst, centerwell",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Undisclosed number of '
'individuals',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Humana',
'size': 'Fourth-largest U.S. health insurer',
'type': 'Health Insurer'},
{'customers_affected': '4,618 Texas residents',
'industry': 'Healthcare (Pharmacy, Senior Care, Home '
'Health)',
'location': 'United States',
'name': 'Centerwell',
'type': 'Subsidiary'}],
'attack_vector': 'Vendor’s software vulnerability',
'customer_advisories': '24 months of free credit monitoring and identity '
'restoration services (enrollment deadline: March 31, '
'2027)',
'data_breach': {'data_encryption': 'No (Clop typically steals data without '
'encryption)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Undisclosed (4,618 Texas '
'residents confirmed)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII and PHI)',
'type_of_data_compromised': ['Names',
'Social Security numbers',
'Medical billing details',
'Claims info',
'Provider names',
'Humana ID numbers',
'Patient account numbers',
'Health insurance data']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-08',
'description': 'Humana confirmed a data breach in August 2025, exposing '
'sensitive personal and medical information of an undisclosed '
'number of individuals. The cybercriminal group Clop claimed '
'responsibility for the breach, which stemmed from a vendor’s '
'software vulnerability. Humana is offering affected '
'individuals 24 months of free credit monitoring and identity '
'restoration services.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Sensitive personal and medical information',
'identity_theft_risk': 'High',
'legal_liabilities': 'Class-action lawsuit'},
'initial_access_broker': {'entry_point': 'Vendor’s software vulnerability'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'root_causes': 'Vendor’s software vulnerability '
'(Oracle’s E-Business Suite flaw)'},
'ransomware': {'data_encryption': 'No',
'data_exfiltration': 'Yes',
'ransomware_strain': 'Clop'},
'references': [{'source': 'Humana breach notification'},
{'source': 'Clop ransomware group claims'},
{'source': 'Texas breach report'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit'},
'response': {'communication_strategy': 'Notifications to affected individuals',
'third_party_assistance': 'Equifax (credit monitoring and '
'identity restoration services)'},
'threat_actor': 'Clop',
'title': 'Humana and Centerwell Hit by Clop Ransomware Attack',
'type': 'Ransomware Attack',
'vulnerability_exploited': 'Oracle’s E-Business Suite flaw'}