Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, has shut down its online patient portal as it investigates a potential data breach that may have exposed sensitive medical information.
The company said Friday that it closed the online portal for medical claims and other customer information while it examined a "security vulnerability." It's not clear how many patient records might have been exposed and for how long. The company has more than 4.8 million customers in 12 states and Puerto Rico.
"We are in the process of conducting an internal investigation to determine the impact, if any, to our customers' information and will provide any applicable notifications to customers and/or regulatory authorities," Molina said in a statement Friday. "Protecting our members' information is of utmost importance."
Brian Krebs, a well-known cybersecurity expert who runs the Krebs on Security website, said he notified the company of the potential breach earlier this month and wrote about it on his website Thursday. Molina said it was already aware of the security vulnerability when contacted.
Until recently, Krebs said, Molina "was exposing countless patient medical claims to the entire internet without requiring any authentication."
Krebs said the information he saw online included patients' names, addresses, dates of birth and information on their medical procedures and medications.
"It's unconscionable that such a basic, security 101 flaw could still exist at a major health care provider," Krebs said. "This information is more sensitive than credit card data, but it seems less protected."
Krebs said he received an anonymous tip in April from a Molina member who stumbled upon the problem when trying to view his medical claim online. The tipster found that by changing a single number in the website address he could then view other patient claims, according to Krebs.
Krebs said the Molina member showed him screenshots of his own medical records and how when he changed the web address slightly it then displayed records of another patient. On Friday, the Molina website told customers that the online portal was "under maintenance."
Health care companies, hospitals and other providers must report data breaches to U.S. officials. Molina emphasized that it was still investigating the matter so had not yet reported it. Federal regulators can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.
Many security experts question the ability of health care companies and providers to safeguard vast troves of electronic medical records and other sensitive data, particularly at a time when cybercriminals are targeting medical information.
Molina, based in Long Beach, Calif., posted $17.8 billion in annual revenue last year.
Molina made news earlier this month with the surprise firing of its top two executives, who are sons of the company's founder. Both CEO J. Mario Molina and his brother, finance chief John Molina, were ousted. The company's board said Molina's disappointing financial performance led to the management change.
Molina has grown more prominent during the rollout of the Affordable Care Act, as Medicaid expanded and state insurance exchanges launched. The company serves more than 1 million people through Obamacare exchanges across several states. It has nearly 69,000 enrollees in the Covered California exchange, or about 5 percent of the market.
This story was produced by Kaiser Health News, which publishes California Healthline, an editorially independent service of the California Health Care Foundation.