A security flaw in MolinaHealthcare.com exposed every other patient’s data to anyone logged into the site.
It is unclear how many records were exposed, but independent researcher Brian Krebs, who received an anonymous tip, suspects potentially all of the records were exposed including names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications, according to a May 25 blog post.
Krebs received the tip in April 2017 alerting him that anyone who had access to a simple hyperlink of a patient record could change a single number in the web address of their own recent medical claim at MolinaHealthcare.com to access other patient records.
To make matters worse, these links could be sent to and viewed by others without any form of verification or authentication.
Krebs alerted the hospital of the error which claims to have remedied the error.
“The previously identified security issue has been remediated,” the company said according to the researcher. “Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security.”
Molina Healthcare is just one example of an IT oversight that led to massive exposure of personal health information, Bitglass CEO Nat Kausik told SC Media.
“We often focus on elaborate cyber threats like the Wannacry ransomware that recently wreaked havoc on organizations around the world,” Kausik said. But, the fact remains that many organizations lack basic security. This is especially true in the heavily regulated healthcare industry”
He said that while the volume of leaked records in healthcare fell in 2016 and was on track to fall further in 2017, the number of breaches in the healthcare industry in 2016 hit an all-time high.
“Hacking and IT incidents like the Molina Health flaw are the leading cause of breach events and continue to pose the greatest risk to healthcare organizations.” Kausik said. “These breaches are also incredibly costly – the average cost per leaked record for healthcare firms topped $402 in 2016 according to the Ponemon Institute.”