The health reports of patients of the True Health Group have been exposed online and were viewable by other patients for months – most likely years – due to a True Health Diagnostics website flaw.
True Health Diagnostics is a Frisco, TX-based company that offers a wide range of testing procedures for genetic and other diseases. The company operates a web portal which patients can access to view their test results. Logging into the web portal allows patients to access PDF files containing their personal information and testing data.
However, logging into the site did not only allow patients to view their own records, but also those of other patients. The PDF file names had sequential numbers. Changing the PDF file name in the URL would easily allow patients to view other test reports. For example, if the file was numbered 10001.pdf, entering in the file name 10002.pdf would allow the patient to view a different report. That report would likely be the test results of a different patient.
The True Health Diagnostics website flaw was discovered by patient and IT consultant Troy Mursch. Mursch noticed that sequential numbers were used based on previous medical tests he had through the firm. He tried changing the file numbers and discovered he was able to view the test results of other patients.
Mursch reported the True Health Diagnostics website flaw to the firm, which rapidly shut down the system to prevent further unauthorized disclosures. The firm has now fixed the problem and all patient test results are now secured.
An investigation has been launched to determine which other patient records, if any, have been accessed without authorization by other patients. It is unclear for how long the flaw has existed, although Mursch believes it may have been years.
The incident shows the danger of using sequential numbers for files that are accessible through patient portals without encrypting the URLs to prevent individuals from accessing the data of other patients. Organizations should also ensure that users can only access their personal test results and medical information through patient portals.
Organizations should perform checks to ensure that patients are only accessing their own records, and that records can only be accessed if a user has first logged in. Penetration testing of patient portals is strongly advisable to identify potential flaws that could result in the unauthorized disclosure of sensitive health data.