Molina Healthcare on Friday said it had fixed a security vulnerability that made patient medical claims in its online portal accessible on the internet and had taken the portal offline while it investigates the issue.
The insurer declined to say how many members' medical claims might have been exposed by the vulnerability, but Brian Krebs, a cybersecurity expert who runs the Krebs on Security website, said it looks like all were affected. Molina insures more than 4.8 million people in 12 states and Puerto Rico.
About the vulnerability
Krebs said he was alerted to the issue via an anonymous reader who said he was able to view other members' claims, without a login or prior authorization, by changing a number in the URL he was provided to access his own claim.
According to Krebs, the medical claims appeared to include patient names, addresses, dates of birth, procedure codes, and prescribed medications. He said the claims did not include Social Security numbers. Krebs said, "It's unconscionable that such a basic, security 101 flaw could still exist at a major health care provider."
Molina takes portal offline
After Krebs contacted Molina, the insurer said it had already addressed the vulnerability. Molina in an emailed statement wrote, "The previously identified security issue has been remediated."
Molina said it had taken its online portal offline "out of an abundance of caution" while it continues testing its security system. It added that it is working with cybersecurity firm "Mandiant to assist the company in continuing to strengthen [its] system security" (Terhune, Kaiser Health News, 5/26; Rechtoris, Becker's ASC Review, 5/30; Cohen, Becker's Health IT & CIO Review, 5/30; Krebs, Krebs on Security post, 5/25).
6 steps for your ransomware response plan
Health care organizations are attractive, lucrative targets for cyber attackers. With highly marketable data, security controls that may lack in strength and consistency, and a culture of openness and helpfulness, health care organizations can quickly become unwitting targets.
Now, more than ever, it is critical to ensure your organization has a proper response plan in place for cybersecurity incidents. This guide outlines the six steps your organization can take to ready for and respond to a ransomware attack.