May 25, 2017

Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication.

molinalogoIn April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims.

More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address (e.g., claimID=123456789).

In other words, having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims. The source showed me screenshots of his medical records at Molina, and how when he changed a single number in the URL it happily displayed another patient’s records.

The records did not appear to include Social Security numbers, but they do include patient names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications.

I contacted Molina about the issue, and the company released a brief statement saying it had fixed the problem. Molina also said it was trying to figure out how such a mistake was made, and if there was any evidence to suggest the Web site bug had been widely abused.

“The previously identified security issue has been remediated,” the company said. “Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security. Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”

The company declined to say how many records may have been exposed, but it looks like potentially all of them.

Headquartered in Long Beach, Calif., Molina Healthcare was ranked 201 in 2016 in the Fortune 500. It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today. However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.

Since that True Health Group story was published, I’ve heard about and confirmed two very similar flaws at healthcare/insurance companies. Please keep the tips coming, Dear Readers, and I will do my best to encourage these companies to do more than just pay lip service to security.


37 thoughts on “MolinaHealthcare.com Exposed Patient Records

  1. IRS iTunes Card

    Another informative article !

  2. petepall

    I love these comments when confronted: “Blah, blah, blah blah blah.” I mean, really? That’s all they’re worth.

  3. Ollie Jones

    The Molina company hasn’t notified CMS about this breach, apparently, at least not yet.

    https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

    I worked in a hospital for a while, and learned that public figures who are patients usually register under pseudonyms to preserve their privacy. Even though the HIPAA regulations have the longest arms and the sharpest teeth in the US cyberprivacy business, they still have lots of ways around them.

    1. Ollie Jones

      Brian, when you gather news about HIPAA healthcare breaches, you might consider asking companies if they have notified CMS (Centers for Medicare and Medicaid Services), when they’re planning to, and so forth.

      If they know less than 500 folks’ records were disclosed, they don’t have to notify. In the case of this Molina breach, where any website visitor could trivially guess how to view records, there’s only one way they could conceivably know it’s less than 500, and that’s by scouring their web logs.

      The size of breach is obviously relevant to the story, not to mention the patients of the affected company.

    2. Reader

      +1 great suggestion in your comments.

      I would like to see it addressed.

      1. BrianKrebs Post author

        I can guess how this one (and so many others involving exposed healthcare records) is going to go: The lawyers are going to say, okay, do we know of any abuse? No one is logging? Okay no breach then. Or, how many people do we know accessed these records? Well, there was the one that Krebs accessed (with permission from the source), so I guess that’s two records. Yep, two records were breached.

        1. theresa defino

          Actually, it’s OCR (not CMS) and breaches are presumed to be reportable unless the entity can prove there was a low probability of compromise. Doesn’t matter what the lawyers think and no evidence of harm/misuse is required.

  4. Novae

    Thank you for putting a spotlight on this, Brian.

    I work in healthcare, and the security is somewhere between horrendous and execrable, and there’s not enough people sounding the alarm to force some meaningful change.

    The healthcare sector has been sitting back and assuming that they’re safe because hackers traditionally have left them alone out of either ethical concerns or simply fear of aggressive prosecution.

    However, now that we’ve entered the age of push-button, mass-market hacking/ransomware, it’s only a matter of time until someone starts targeting us more directly, and it’s probably going to get people killed.

    I know that you already focus a lot on skimmers and stresser/DoS sites, but I hope you can find time to also focus on the painfully neglected healthcare security area as well.

  5. Reader

    “and I will do my best to encourage these companies to do more than just pay lip service to security”

    Well said!

  6. Marcus McCrory

    Technically, breaches < 500 still require notification to HHS/OCR.

    "If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form."

    This is from:-

    https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?language=es

  7. AlSitte

    Ok… just curious because I do not know…
    Is there a whistleblower process for reporting this kind of stupidity to HHS or OCR or other alphabet soup agency responsible for tracking on poor security practices and breaches involving sensitive information?
    If I were a customer of one of these service providers, and discovered a substantial flaw, who would I be able to contact to get action? Obviously, not the service provider!!

    Maybe krebsonsecurity.com is becoming that reporting mechanism unintentionally. I know that the feds monitor reports on this site for open source news and intelligence.

    I agree Brian… this level of incompetence in regards to security engineering for sensitive data is absolutely unacceptable.

  8. Steve C

    Very convenient. If they are purposely not looking into how many records were compromised then they do not have to report a breach.

  9. KG

    Do we know if this application is homegrown or if it is a vendor product such as a patient portal? Thanks!

  10. Godel

    Bloody Hell.

    A fortune 500 company with a public facing web site carrying confidential customer medical information and they don’t do even the most basic pen testing!

  11. Robert Scroggins

    Good work, Scott! Keep the light shining on thoughtless use of the internet from a security standpoint.

    Regards,

  12. Abraham

    I work in healthcare too. Speaking to execs, the main argument I hear against taking security seriously- which usually takes place behind close doors and once the lawyers are away – is that security simply doesn’t pay off.

    Why should Molina, or any other company for that matter, care about protecting its clients’ data? I’m not being sarcastic here. From a pure cost-benefit analysis, engaging a PR firm and providing one year of free credit monitoring is way cheaper than investing in security. The latter doesn’t only mean spending money on qualified and expensive personnel and purchasing a good set of tools; it also means delaying feature releases, not inventing new and innovative ways to share data among providers, diverting valuable resources from profit centers to a cost center, etc.

    This article is great and all. But honestly, how many clients would leave Molina now that they know that their medical history is out? Maybe a few HIV positive patients who kept their diagnosis a secret. Maybe a few security nuts. But other than that, by and large Molina didn’t lose a thing.

    1. Arianne

      I found your insight refreshing as you managed to state a very valid and sound chain of reasoning that whail not what the masses may wish to hear or believe remains a good possibility.
      So thank you for not dumpping a bunch of sugar on it and trying to be Willy Wonka l appreciate it.

    2. Nobby Nobbs

      There’s another rationalization: “Nobody else is doing it, so why should we?” I see this thinking all the time.

      The only way to fight it is with logic: “Suppose no one else vaccinated their kids? Wouldn’t you want to vaccinate yours, even if it was at a cost of time and money?”

      As the saying goes in the healthcare biz: “You can tell a doctor, but you can’t tell him much.” I find couching security arguments in medicals terms helpful.
      GL, all keep fighting!

      1. zboot

        The problem with your argument is that not vaccinating your kids has a cost. Should you child get a disease normally protected by vaccines, they could die – or require very expensive medical care. If the only lifetime cost of not vaccinating was $5, then heck yeah, I’d skip it too.

        When the cost to not securing your customers information is negligible, then many companies will take the cheaper option. Choices are made in the context of cost as well. If the cost of the best option is high, people generally will limit their choices to the options which fit within the costs they can afford.

        1. HIT

          The HITECH act is what requires breach notification. It also added tiered penalties that are most severe if “willful neglect” can be shown. If it can be proven that you knew of a potential vulnerability and didn’t act because it was cheaper to not act and take the risk, that would not be good. The top penalties are $1.5 million on top of correcting the issue. It also allows State Attorneys General to enforce HIPAA violations AND sue to collect damages on behalf of residents of their states. If your records were potentially compromised (or you have a complaint), you may want to contact the Attorney General of your state.

    3. H Davis

      We need a civil cause of action to allow those whose records have been exposed, whether used fraudulently or not, to sue for damages. This would loose the class action lawyers on these folks. A very expensive penalty with lots of bad publicity.

  13. MR

    This vulnerability is # 4 in the OWASP top ten list.
    A4 – Broken Access Control “Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.” There are many free tools available to test these types of vulnerabilities – Nessus, N-Stalker, Nexpose will all find this type of vulnerability. In security we get so busy with the most recent threats that the very basics are somehow missed.

    1. vb

      Better stated as ” Insecure Direct Object References.”. In other words, allowing a user direct access to an object without checking if the user is authorized to get that object.

      “Everyone can read everything” seems to be the security model of choice for many web sites with customer data.

  14. Anon

    “The company declined to say how many records may have been exposed, but it looks like potentially all of them”

    This is my favorite part of this article, hard hitting journalism at its finest. Krebs continues to prove to us all why we should take him seriously. If he had any respect for the truth or journalism as an institution he’d omit claims like this, but he lives in the world of sensationalism where verifying facts doesn’t matter. I’m fairly certain they teach you about logical fallacies in the 9th grade. You might want to go back a brush up on those?

  15. JCitizen

    Good grief!!! I worked for a small non-profit that was under HIPAA regulations, and we knew better than this!! We even had a team looking for penetrations in our network, and not only dealing with them, but prosecuting the miscreants that did it!

    Good work as always Brian!

    1. zboot

      Knowing better and doing better are two different things.

      There’s a clear financial benefit to the latter and minimal for the former.

  16. Terri Scott

    I had someone call me after I contacted Molina to get thier insurance. A few weeks later, someone called me and set it up plan and I paid my premium. I found out later thar molina never recieved eventhough it already cleared my account. Molina denies it so I called USAA and they CONFIRMED it. I can’t seem to get my money back from Molina cause they deny the transaction and stated they do not take premium payments over phone. Could this be related?
    Terri scoyy

  17. Matthew Norton

    I worked at this company and saw work done for this company. The issue is that the IT leadership is disengaged and security is in denial. Development is just done, validation for vulnerability is not done or done correctly, releases just move into production. The list of should have been done is long. Input has been provided over a long period of time and action is not taken. This is not the first time this has happened, security and IT know it. Governance is missing. you can bring Mandiant and anyone else, what good is it if your head is the sand. The organization is sleep at the wheel and the oversight of what actually gets done by IT is none existant. Details and facts are regularly masked from senior executive management and board oversight. Is it any wonder that this is the latest of happenings, it’s not a coincidence. They work at it.

  18. David Smith

    I’m a Molina subscriber and they just took down their online portal and sent members this message:

    Dear Valued Molina Member,
    We are working to update several of our online services. The following will be temporarily unavailable starting May 25, 2017 and may be unavailable for a period of time.
    • My Molina
    • Molina Payment – Pay Now Feature
    We are working to complete the updates as quickly as possible.

    No mention of the security issues.

  19. KLD

    As an independent healthcare provider for Molina Healthcare (and numerous others), this does not surprise me at all that MHC has this issue. They are a HORRIFIC company to deal with on many levels and especially anything that pertains to IT. Their system(s) are nothing short of “pre caveman” era. Too bad CMS, or any other agencies that are the supposed watch dogs of the system, will do nothing more than a little slap on the wrist.

    Thanks for the great article.

  20. Keith Appleyard

    I recall finding an almost identical glitch approx 10 years ago with Thomson Reuters when they were hosting American Express Investor Relations material prior to release to Wall Street Analysts.

  21. Clark Yates

    It’s interesting the comments made here. I recently saw that the Molina CIO had won some sort of award for the CIO Hall of Fame and another IT Manager was recognized by DELL for Transformation Award. I took a second look to make sure it was not Hall of Shame given this particular situation that was uncovered.

  22. brady haight

    I am hearing that there is a scramble to patch for the CryMeNow issue as servers had not been patched for months on back. Maybe CMS can check on that as well along with the breach. Is there anyone minding the store in that place?

Comments are closed.