Brian Krebs reports on yet another entity/site that did not adequately secure patient information:
True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site.
The medical reports that True Health produces contain vast amounts of extremely personal information on patients, including indicators of genetic abnormalities as well as markers of potentially current and future diseases.
To demonstrate the flaw, Mursch logged into his account at True Health and right clicked on the PDF file for his latest health report. He showed how the site would readily cough up someone else’s detailed health records and blood tests if he modified a single digit in the link attached to that PDF record and then refreshed the page.
Read more on KrebsOnSecurity.com.