A patient portal security flaw has resulted in the exposure of patient claims information. Claims information had been uploaded to the patient portal of the Long Beach, California-based managed care company Molina Healthcare; however, the information was accessible without any authentication checks.
Patients who had been sent a link to their claims could click those links without any checks being performed to ensure they were the intended recipients of the links. Any individual with access to the link could access patients’ claims information.
Further, the system used to number claims meant that if a digit in the URL was changed, it was possible to view the claims information of other patients. For example, if the claim number was 1234567, changing the claim number to 1234560 would bring up a different patient’s information.
The patient portal security flaw was reported to security researcher Brian Krebs by an anonymous source. The flaw was demonstrated to Krebs, revealing sensitive information could be easily accessed by unauthorized individuals. The types of data in the files accessible through the portal included names, addresses, birthdates, prescriptions and medical procedure information.
Krebs reached out to Molina Healthcare to alert it to the vulnerability and the ePortal was temporarily shut down while an investigation was conducted. Molina Healthcare says the issue has now been remediated, although the investigation is continuing to determine how many individuals have been affected and whether the flaw was widely abused. Molina Healthcare has brought in the cybersecurity firm Mandiant to assist with the forensic investigation and to help improve system security.
At present, it is unclear for how long the patient portal security flaw has existed and how many individuals have been impacted, although it is probable that the flaw affected all of the company’s patients. Molina Healthcare serves individuals in 12 states and Puerto Rico, with more than 4.8 million customers.
As was pointed out by Brian Krebs, this was a basic security 101 flaw that should not exist. Krebs said, “The more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”