We trust that healthcare companies take every precaution to make sure patient files are as secure as they can be. In fact, not doing so can lead to big fines and other trouble. It’s surprising, then, that a Fortune 500 healthcare company would leave their patient records almost completely unprotected.
Security reporter Michael Krebs reported on his blog that he received a tip sometime last month about the Molina Healthcare website. He was told that a person was able to change the string of numbers on a link he received for accessing his medical records to pull up someone else’s records. To make it even worse, the person didn’t even have to sign in to view his own records, meaning it was publically accessible to anybody without any sort of credentials.
What does that mean? Anybody with a proper URL could play around with the numbers in a link in order to access the information of any Molina Healthcare patient! The records didn’t include Social Security numbers, but they did include all sorts of other sensitive information.
Krebs contacted Molina, who said they were taking the online access offline while they updated the system to ensure they were properly protecting their patients’ information. They also said they’re not sure how such a basic security rule was overlooked, but they were hiring a company to help them with their security.
You’d hope that such a problem would be a rarity, but at the end of his article, Krebs said that he’s received tips about and confirmed two other companies with similar security holes.