HOW WE PROCESS

1 Submit your enquiry.
2 We will get back to you and review your enquiry.
3 We Simulate Penetration testing

If you still have problems, please let us know, by sending an email to support@cybermetrix.co.uk Thank you!

OPENING HOURS

Mon-Fri 9:00AM - 6:00AM
Sat - 9:00AM-5:00PM
Sunday - Appointment only
GET A QUOTE

MolinaHealthcare.com Exposed Patient Records

Posted on by Christian Hendrix
molina 1232641 - MolinaHealthcare.com Exposed Patient Records

Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication.

In April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims.

More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address

In other words,

having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims. The source showed me screenshots of his medical records at Molina, and how when he changed a single number in the URL it happily displayed another patient’s records.

The records did not appear to include Social Security numbers, but they do include patient names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications.

I contacted Molina about the issue, and the company released a brief statement saying it had fixed the problem. Molina also said it was trying to figure out how such a mistake was made, and if there was any evidence to suggest the Web site bug had been widely abused.

“The previously identified security issue has been remediated,” the company said. “Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security. Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”
sans titre 2 - MolinaHealthcare.com Exposed Patient Records

Christian Hendrix

Cybersecurity Analyst at Cybermetrix
Christian is passionate about cybersecurity, personal and fair. he brings new ideas and challenge things that could be better. His is to be responsible for the monitoring and analysing of cyberthreats activity for cybermetrix customers systems and the external environment to identify, understand and react to relevant activity. Passionate about Cybersecurity he brings the most relevants blogs articles for Cybermetrix.
sans titre 2 - MolinaHealthcare.com Exposed Patient Records
(Visited 24 times, 1 visits today)
Microsoft Issues WanaCrypt Patch for Windows 8, XP
Hacking and Linux Go Together Like 2 Keys

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz

Cybermetrix cybersecurity group
Our experts will provide the best advice and cybersecurity service in a quick response.

Cybermetrix cybersecurity group
INCIDENT RESPONSE

Our experts will provide the best advice and cybersecurity service in a quick response.

  • SALES ENQUIRY

    04324324///
  • Cyber Incident Helpline

    07804325///
  • EMAIL US

    sales@cybermetrix.co.uk
TOP
Download Free 10 Tips to secure your company PDFGET IT NOW
+