Humana today confirmed it notified an undisclosed number of people about an August 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Medical billing and claims info
- Dates of service
- Provider names
- Humana ID numbers
- Patient account numbers
- Health insurance info
Humana subsidiary Centerwell also started issuing data breach notices this month. The Texas attorney general reported 4,618 people in Texas were notified of the breach. Both Humana and Centerwell were hit with a class-action lawsuit in which plaintiffs allege the two companies failed to protect patient data.
A cybercriminal group called Clop (“Cl0p”) took credit for the breach shortly after it occurred.
Humana has not acknowledged Clop’s claim and Comparitech cannot independently verify it. We do not know how many people were compromised, how attackers breached Humana’s systems, if Humana paid a ransom, or how much Clop demanded. Comparitech contacted Humana for comment and will update this article if it replies.
“On September 29, 2025, Humana learned of unauthorized access to certain of Humana’s internal systems in August of 2025 caused by a vendor’s software vulnerability,” says Humana’s notice (PDF) to breach victims.
Humana is offering breach victims 24 months of free credit monitoring and identity restoration services through Equifax. The deadline to enroll is March 31, 2027.
Who is Clop?
Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. It specializes in exploiting zero-day software vulnerabilities, most recently in Oracle’s E-Business Suite and the Cleo file transfer software. Cl0p targets any organization using the vulnerable software. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it steals data and then demands a ransom to not publish or sell it.
Humana cited a vendor’s software vulnerability as the cause of the breach. At that time, Clop also claimed several other attacks exploiting the Oracle vulnerability.
In 2025, Clop claimed responsibility for 456 attacks. Of those, 35 were confirmed by the targeted organizations. 119 of the claims were linked to the Oracle vulnerability, 29 of which were confirmed.
Humana wasn’t the only healthcare business targeted by Clop. The group also breached Parexel International and Barts Health NHS Trust. The latter sought a High Court order in an attempt to ban the data from being published and shared.
In 2026 to date, Clop has made another 123 attack claims.
Ransomware attacks on US healthcare businesses
Comparitech researchers logged 31 confirmed ransomware attacks on US companies that operate in the healthcare sector but that do not provide direct care. The category includes pharmaceutical companies, medical device makers, medical software developers, insurance companies, and medical billing companies, but not hospitals or clinics.
The resulting data breaches resulted in companies sending notices to more than 196 million people.
Some of those breaches include:
- Catalyst RCM and Viktor Scientific notified 139,964 people of a November 2025 data breach claimed by Everest
- Resource Corporation of America reported a December 2025 data breach for which Medusa demanded $800,000
Two more such attacks have been confirmed in 2026 to date out of 37 claims made by ransomware groups.
Ransomware can both steal data and lock down computer systems, but in Clop’s case, it’s most likely just the former. The attackers then demand a ransom in exchange agreeing to destroy the stolen data. If companies fail to pay, they could put breach victims at increased risk of fraud.
About Humana
Humana is the fourth-largest health insurance agency in the USA. The company came under scrutiny in the past few years for fraud and denying Medicare claims based on AI algorithms.
Centerwell is a Humana subsidiary that includes a pharmacy, senior care, and home health services.
