Over the past two weeks readers have pointed KrebsOnSecurity to no fewer than three different healthcare providers that failed to provide the most basic care to protect their patients’ records online. Only one of the three companies — the subject of today’s story — required users to be logged in order to view all patient records.
A week ago I heard from Troy Mursch, an IT consultant based in Las Vegas. A big fan of proactive medical testing, Mursch said he’s been getting his various lab results reviewed annually for the past two years with the help of a company based in Frisco, Texas called True Health Diagnostics.
True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site.
The medical reports that True Health produces contain vast amounts of extremely personal information on patients, including indicators of genetic abnormalities as well as markers of potentially current and future diseases.
To demonstrate the flaw, Mursch logged into his account at True Health and right clicked on the PDF file for his latest health report. He showed how the site would readily cough up someone else’s detailed health records and blood tests if he modified a single digit in the link attached to that PDF record and then refreshed the page.
I alerted True Health Diagnostics immediately after verifying the flaw, and they responded by disabling the healthcare records data portal within minutes of our call. Over the weekend, True Health said it discovered and fixed the source of the problem.
“Upon discovering the potential for registered users of our patient portal to access data for individuals other than themselves, we immediately shut down the system in order to resolve any vulnerabilities,” the company said in a statement emailed to this author. “True Health has total confidence that all patient records are fully secure at this time. We regret this situation and any harm it may have caused.”
The statement said True Health CEO Chris Grottenthaler has ordered an immediate investigation to determine which files, if any, were improperly accessed.
“It will be thorough, speedy and transparent,” the statement concludes. “Nothing is more important to us than the trust that doctors and patients put in our company.”
The company says it is still investigating how long this vulnerability may have existed. But Mursch said it appears his healthcare record was assigned by True Health a record number that was issued as part of a numerical sequence, and that the difference between the record numbers attached to a result he received recently and another set of test results produced two years ago indicate at least two million records may have been exposed in between.
“I would assume all patient records were exposed,” Mursch wrote in an email.
Alex Holden, founder of cybersecurity consultancy Hold Security, said he’s responded to a number of inquiries of late regarding clients who inadvertently published patient data online with little or no authentication needed to view sensitive health records.
Holden said he advises clients to add security components to their links to encrypt any portion of the link that contains data so that it can’t be easily reversed or manipulated. He also tells clients not to use sequential account numbers that can be discovered by simply increasing or decreasing an existing account number by a single digit.
“A lot of times the medical records are stored sequentially as PDF files and they all just sit in the same folder that patients can access with a Web browser,” Holden said. “And in many cases they are not even protected by a username and password.”
Finally, Holden said, companies should ensure their servers are always checking to see if the user is logged in before displaying records, and also checking to ensure the user has the right to view the requested record.
According to Verizon‘s newly released Data Breach Investigations Report (DBIR), 15 percent of healthcare breaches now involve healthcare organizations. The 2017 DBIR found that healthcare organizations were tied with the retail and accommodations sector as the second-largest source of data breach victims last year.
Author’s note: After a year in which virtually every major hotel chain suffered at least one major breach, Verizon’s finding should be a sobering one for everyone concerned about the security of their healthcare records.
As I said at the outset of this story, I’m amazed that companies with so much on the line routinely fail to do basic checks to ensure customers or users can’t see beyond their own data.
Not long after I started this blog in 2010 I encountered a similar vulnerability after being approached by a security company that helps Web sites defend against online attacks. The vendor in this case offered to protect my site for free, but I was ultimately unwilling to give them any kind of control over my site.
However, the vendor did give me an account on their protection portal that was reserved for my site, and after logging in I could see my site’s sample “dashboard” even thought it hadn’t been officially set up yet. Then I had a look at the URL in my browser’s address field and noticed that it ended with a long string of numbers. On a whim, I changed the last digit in that long number to something else, refreshed the page and in an instant I was captain of some other site’s dashboard.
Needless to say, I notified them about that flaw and they fixed it quickly at the time, but that was the end of our trial for me.
Stay tuned for another installment in this series on how not to store medical records online.