A flaw has been fixed by Molina Healthcare, which exposed “countless” patient medical claims to the entire internet without requiring any authentication.
According to independent researcher Brian Krebs, gaining access to a single hyperlink to an online patient record would allow an attacker to enumerate and download all other claims. This exposed patient names, addresses and dates of birth, as well as medical procedure codes and any prescribed medications.
“In April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims,” Krebs said, in a blog. “More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address (e.g., claimID=123456789).”
He added, “The company declined to say how many records may have been exposed, but it looks like potentially all of them.”
The Fortune 500 company has fixed the issue, it said: “The previously identified security issue has been remediated. Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security. Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”
Krebs also said that this is not the first such flaw, and that he has confirmed two very similar flaws at other healthcare/insurance companies.
"We often focus on elaborate cyber threats like the Wannacry ransomware that recently wreaked havoc on organizations around the world,” said Nat Kausik, CEO, Bitglass, in an email. “But the fact remains that many organizations lack basic security. This is especially true in the heavily regulated healthcare industry. Molina Healthcare is just one example of an IT oversight that led to massive exposure of PHI. Hacking and IT incidents like the Molina Health flaw are the leading cause of breach events and continue to pose the greatest risk to healthcare organizations. These breaches are also incredibly costly—the average cost per leaked record for healthcare firms topped $402 in 2016 according to the Ponemon Institute.”
Bitglass found that the volume of leaked records in healthcare fell in 2016 and was on track to fall further in 2017. However, the number of breaches in the healthcare industry in 2016 hit an all-time high, with 328 US healthcare firms reporting data breaches in 2016, up from 268 in 2015 according to reported HHS data.
“Healthcare organizations are major targets and will see any and all flaws exploited by malicious individuals,” said Kausik. “As healthcare organizations make patient data more accessible to individuals and new systems, they must make information security their top priority.”