Molina Healthcare Security Flaw Makes Patient Records Available Online

The California-based Fortune 500 company Molina Healthcare has been exposing patients’ medical claims online without requiring authentication, according to investigative reporter Brian Krebs.

It’s not clear at this point how long the vulnerability may have been in place.

Last month, Krebs reports, he received an anonymous tip that any Molina customer could access other customers’ medical claims simply by changing a single number in the URL when accessing their own claims — and that no authentication was required to access customer claims online.

“It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today,” Krebs wrote. “However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”

While the records didn’t appear to include Social Security numbers, they did include patient names, addresses and birthdates, as well as diagnosis, medication and medical procedure information.

Molina told Krebs it had fixed the problem and was trying to determine how it occurred and whether it had been widely abused.

“Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security,” the company said. “Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”

Healthcare a Major Target

While we often focus on dramatic cyber threats like WannaCry, many organizations simply lack basic security, Bitglass CEO Nat Kausik told eSecurity Planet by email. “This is especially true in the heavily regulated healthcare industry,” he said. “Molina Healthcare is just one example of an IT oversight that led to massive exposure of PHI.”

“Healthcare organizations are major targets and will see any and all flaws exploited by malicious individuals,” Kausik added. “As healthcare organizations make patient data more accessible to individuals and new systems, they must make information security their top priority.”

According to Bitglass’ 2017 Healthcare Breach Report, 328 U.S. healthcare firms reported data breaches in 2016, up from 268 in 2015. Still, the number of Americans affected by healthcare breaches dropped in 2016, to 16.6 million.

“Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier. Unauthorized disclosures includes all non-privileged access to PII or PHI,” the report states. “Hacking and IT-related incidents doubled year-over-year, an indication that malicious actors are not letting up and are increasingly aware of PHI’s high long-term value.”

According to the 2016 Ponemon Cost of Data Breach Study, the average breach cost U.S. companies $221 per lost record last year, up from $217 per record in 2015 — though the cost per leaked record for healthcare firms topped $402 in 2016.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles