Patients of the True Health Group have had their health reports exposed online due to a law in the True Health Diagnostics website. Moreover, the reports appear to have been viewable by other patients for months if not years.
Based in Frisco, Texas, True Health Diagnostics is a company that offers a broad range of testing services for genetic and other diseases. It operates an online portal that patients can access in order to consult their personal test results. Accessing the web portal permits patients to obtain PDF files that contain their personal information together with the testing data.
Unfortunately because of the flaw, logging into the site permitted patients to access not only their own records, but also the records of other True Health patients. The names of each respective PDF file names had sequential numbers. By simply modifying the PDF file name in the URL patients could access other test reports; e.g. if the file was numbered 12345.pdf, typing the file name 12346.pdf could potentially permit the patient to view another patient’s report.
IT consultant Troy Mursch, who is also a patient of True Health Diagnostics, discovered the flaw. After noticing that sequential numbers had been used on earlier medical tests that he had used the firm for, Mr Mursch attempted to change the file numbers. This revealed that it was possible to view the test results of other patients of True Health.
Mursch notified True Health Diagnostics of the flaw. The healthcare firm then quickly acted to shut down their system in order to protect the private information of other patients. The problem has now been rectified and all test results secured.
An investigation to clarify whether or not patient records were accessed by unauthorized individuals is underway. How long the flaw had existed for has not been confirmed, however Mr Mursch thinks that it may have been present for years prior to its discovery.
The revelation illustrates the inherent risk in companies using sequential numbers for files that can be accessed via patient portals without encryption of the URLs being in place to stop individuals from obtaining access to the data of other patients. It should be ensured by all organizations that users have access uniquely to their own personal results and information via patient portals.
Organizations should carry out regular tests to guarantee that patients can access only their own records. Moreover, records should only be accessible when a user has logged in first. Patient portals should be subject to ‘penetration testing’ to reveal any potential flaws which may result in the unintended disclosure of private health data.