Long Beach, Calif.-based insurer Molina Healthcare remedied a website security flaw that exposed "countless patient medical claims to the entire Internet," according to Krebs On Security.
Here are four things to know.
1. In April, a patient visited Molina Healthcare's website to view his recent medical claim. He realized he could view other claims — without needing a login or prior authorization — by changing a number in the website address he was given to access his own claim.
"In other words, having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims," Krebs On Security reports.
2. The online medical claims included patient names, addresses and dates of birth, along with medical procedure codes and prescribed medications. The records did not include Social Security numbers, according to Krebs On Security's analysis.
3. Molina Healthcare told Krebs On Security and Becker's Hospital Review it has since fixed the security flaw.
In a statement to Becker's Hospital Review, the insurer wrote: "Molina Healthcare was recently informed of a security vulnerability in one of its systems and immediately addressed the issue. Out of an abundance of caution, the company has taken its ePortal system offline. We are in the process of conducting an internal investigation to determine the impact, if any, to our customers' information and will provide any applicable notifications to customers and/or regulatory authorities. Protecting our members' information is of utmost importance to Molina. Molina’s IT team, along with third party experts, are constantly testing and verifying our systems' security."
4. Molina Healthcare did not specify how many records were exposed.