A data security flaw at Molina Healthcare in the Medicaid insurer’s patient portal could have allowed anyone to gain access to sensitive patient medical claims data with nothing but a simple change of the URL, no authentication required.
In response to the situation, Molina Healthcare shut down its patient portal on Friday.
Ben Krebs, a data security researcher, found out about the issue in April. Commenting on the flaw, he finds it almost unbelievable that such a basic data security flaw could exist at a major healthcare provider today. He added that the more he writes about these types of vulnerabilities at healthcare firms, the more he hears about how common they actually are.
Luckily, the exposed records don’t reveal any Social Security numbers. However, the following data has been exposed:
– Birth dates
– Diagnosis data
– Medication data
– Other medically pertinent data
Typically, this type of data is used for medical fraud.
At the time, Molina doesn’t know how the security flaw came to be or if anyone abused it, as the investigation is still in progress.
The company did not unveil to Krebs the exact number of medical records exposed, but it looks like all patient data was affected. Molina serves 4.8 million customers in 12 states, as well as Puerto Rico. In their official statement, the company claimed they took the portal offline for the time being to perform additional testing of their system security.
If you decide to visit their site right now, you will find a banner stating it’s currently under maintenance.