Molina Healthcare breached, exposed patient data for over a month
Molina Healthcare, a major Medicaid and Affordable Care Act insurer, shut down its patient portal on Friday in response to a security flaw that exposed patient medical claims data without requiring authentication, according to security researcher Brian Krebs.
At the time, it’s unclear how long the vulnerability was in place.
Brian Krebs was first made aware of the security flaw in April through an anonymous tip, which could allow any Molina patient to access other patients’ medical claims by simply changing a single number in the URL.
Even worse -- no authentication was required to access patient claims information online.
“It's unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today," said Krebs. “However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”
The exposed records don’t appear to contain Social Security numbers, but include names, addresses, birthdates, diagnosis, medication and other medically pertinent information. This type of data is frequently used for medical fraud.
Molina told Krebs it had fixed the problem, while it’s investigating how it could have occurred and if the flaw was abused.
“Because protecting our members' information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security," officials said in a statement.
The company didn’t reveal to Krebs the number of records exposed, but it does appear all patient data was affected. Molina serves 4.8 million customers in 12 states and Puerto Rico.
Molina’s patient portal currently has a banner that says the site is “under maintenance.”
“We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities,” officials said in a statement. “Protecting our members’ information is of utmost importance.”