Posts Tagged: True Health Group breach


25
May 17

MolinaHealthcare.com Exposed Patient Records

Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group¬†that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication.

molinalogoIn April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address¬†when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims.

More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address (e.g., claimID=123456789).

In other words, having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims. The source showed me screenshots of his medical records at Molina, and how when he changed a single number in the URL it happily displayed another patient’s records.

The records did not appear to include Social Security numbers, but they do include patient names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications. Continue reading →