Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, has suspended access to its online patient portal while it investigates a possible data breach that may have exposed sensitive medical information.
The company announced on Friday that it would be shutting down the online portal for medical claims and other customer information while it investigated a “security vulnerability.” It’s unclear how many patient records were exposed and for how long. In 12 states and Puerto Rico, the company has over 4.8 million customers.
“We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities,” Molina said in a statement Friday. “Protecting our members’ information is of utmost importance.”
Brian Krebs, a well-known cybersecurity expert who runs the Krebs on Security website, said he notified the company of the potential breach earlier this month and wrote about it Thursday on his website. When contacted, Molina stated that it was already aware of the security flaw.
Until recently, Krebs said, Molina “was exposing countless patient medical claims to the entire internet without requiring any authentication.”
Krebs stated that the information he found online included patients’ names, addresses, dates of birth, and medical procedures and medications.
“It’s unconscionable that such a basic, security 101 flaw could still exist at a major health care provider,” Krebs said. “This information is more sensitive than credit card data, but it seems less protected.”
Krebs stated that he received an anonymous tip in April from a Molina member who discovered the issue while attempting to view his medical claim online. According to Krebs, the tipster discovered that by changing a single number in the website address, he could view other patient claims.
Krebs stated that the Molina member showed him screenshots of his own medical records and how, by changing the web address slightly, the records of another patient were displayed. The Molina website informed customers on Friday that the online portal was “under maintenance.”
Data, including patient data, breaches must be reported to US officials by healthcare providers, hospitals, and other providers. Molina emphasized that the matter was still being investigated and had not yet been reported. For violations of the Health Insurance Portability and Accountability Act, also known as HIPAA, federal regulators can levy significant fines.
Many security experts question healthcare companies’ and providers’ ability to protect vast troves of electronic medical records and other sensitive patient data, especially at a time when cybercriminals are targeting medical information.
Molina, based in Long Beach, California, generated $17.8 billion in revenue last year.
Molina made headlines earlier this month when it fired its top two executives, both of whom are the sons of the company’s founder. J. Mario Molina, CEO, and his brother, finance chief John Molina, were both fired. According to the company’s board, Molina’s poor financial performance prompted the management change.
Molina rose to prominence during the implementation of the Affordable Care Act, as Medicaid was expanded and state insurance exchanges were established. Through Obamacare exchanges in several states, the company serves over one million people. The Covered California exchange has nearly 69,000 enrollees, or about 5% of the market.
This story was produced by Kaiser Health News, which publishes California Healthline, an editorially independent service of the California Health Care Foundation.