A security flaw in a patient portal has exposed information concerning patient claims. Claims information had previously been uploaded to the patient portal of Molina Healthcare, which is a managed care company based in Long Beach, California. This in itself is not abnormal, however the flaw meant that the information was in fact accessible without any authentication checks.
Some patients with claims pending had been sent a link to their claims. All that had to be done to access the claim was to click on the link without the performance of any checks to verify that those following the links were in fact the intended recipients of them. Any person who had access to the link could therefore access the relevant patients’ claims information.
Moreover, the system employed to number the claims meant that should a digit in the URL be changed, it was possible to see information relating to the claims of other patients. That is to say that if the claim number was 2345678, the simple act of changing the claim number to 2345679 would have revealed another patient’s information.
Security researcher Brian Krebs was alerted to the patient portal security flaw by an anonymous tip. A demonstration of the flaw was given to Krebs which revealed that sensitive information could easily be accessed by unauthorized persons. The data in the files accessible via the portal included full names, postal addresses, dates of birth, prescription details and information relating to medical procedure.
Krebs contacted Molina Healthcare to warn it about the vulnerability. The ePortal was then temporarily closed while an investigation was carried out. Molina Healthcare states that the matter has now been resolved, however the investigation in order to clarify how many patients were affected and whether the flaw was widely exploited is continuing. Molina Healthcare has engaged the cybersecurity firm Mandiant to help in this forensic investigation and to aid in the improvement of its system security.
Presently, it remains unclear for how much time the patient portal security flaw has existed and how many patients have been affected, however it is likely that all of the company’s patients are victims of the flaw. Molina Healthcare provides its services to individuals in twelve states plus Puerto Rico, with almost 5 million customers.
As Brian Krebs has highlighted, this was security flaw of the most basic kind that simply should not exist. Krebs said described the flaw as “lame” on the party of the company, but also very serious.