Posts Tagged: Troy Mursch


8
May 17

Website Flaw Let True Health Diagnostics Users View All Medical Records

Over the past two weeks readers have pointed KrebsOnSecurity to no fewer than three different healthcare providers that failed to provide the most basic care to protect their patients’ records online. Only one of the three companies — the subject of today’s story — required users to be logged on in order to view all patient records.

thgA week ago I heard from Troy Mursch, an IT consultant based in Las Vegas. A big fan of proactive medical testing, Mursch said he’s been getting his various lab results reviewed annually for the past two years with the help of a company based in Frisco, Texas called True Health Diagnostics.

True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site.

The medical reports that True Health produces contain vast amounts of extremely personal information on patients, including indicators of genetic abnormalities as well as markers of potentially current and future diseases.

To demonstrate the flaw, Mursch logged into his account at True Health and right clicked on the PDF file for his latest health report. He showed how the site would readily cough up someone else’s detailed health records and blood tests if he modified a single digit in the link attached to that PDF record and then refreshed the page.

I alerted True Health Diagnostics immediately after verifying the flaw, and they responded by disabling the healthcare records data portal within minutes of our call. Over the weekend, True Health said it discovered and fixed the source of the problem.

“Upon discovering the potential for registered users of our patient portal to access data for individuals other than themselves, we immediately shut down the system in order to resolve any vulnerabilities,” the company said in a statement emailed to this author.  “True Health has total confidence that all patient records are fully secure at this time. We regret this situation and any harm it may have caused.”

The statement said True Health CEO Chris Grottenthaler has ordered an immediate investigation to determine which files, if any, were improperly accessed.

“It will be thorough, speedy and transparent,” the statement concludes. “Nothing is more important to us than the trust that doctors and patients put in our company.”

The company says it is still investigating how long this vulnerability may have existed. But Mursch said it appears his healthcare record was assigned by True Health a record number that was issued as part of a numerical sequence, and that the difference between the record numbers attached to a result he received recently and another set of test results produced two years ago indicate at least two million records may have been exposed in between.

“I would assume all patient records were exposed,” Mursch wrote in an email.

Alex Holden, founder of cybersecurity consultancy Hold Security, said he’s responded to a number of inquiries of late regarding clients who inadvertently published patient data online with little or no authentication needed to view sensitive health records.

Holden said he advises clients to add security components to their links to encrypt any portion of the link that contains data so that it can’t be easily reversed or manipulated. He also tells clients not to use sequential account numbers that can be discovered by simply increasing or decreasing an existing account number by a single digit.

“A lot of times the medical records are stored sequentially as PDF files and they all just sit in the same folder that patients can access with a Web browser,” Holden said. “And in many cases they are not even protected by a username and password.” Continue reading →