Issue link: https://beckershealthcare.uberflip.com/i/842028
38 CIO / HEALTH IT Molina Healthcare Fixes Hyperlink Flaw That Exposed 'Countless' Medical Claims Online By Jessica Kim Cohen L ong Beach, Calif.-based insurer Molina Healthcare remedied a website security flaw that exposed "countless patient medical claims to the entire internet," according to Krebs On Security. Here are four things to know. 1. In April, a patient visited Molina Healthcare's website to view his recent medical claim. He real- ized he could view other claims — without need- ing a login or prior authorization — by changing a number in the website address he was given to access his own claim. "In other words, having access to a single hyper- link to a patient record would allow an attacker to enumerate and download all other claims," Krebs On Security reports. 2. e online medical claims included patient names, addresses and dates of birth, along with medical procedure codes and prescribed medica- tions. e records did not include Social Security numbers, according to Krebs On Security's anal- ysis. 3. Molina Healthcare told Krebs On Security and Becker's Hospital Review it has since fixed the security flaw. In a statement to Becker's Hospital Review, the insurer wrote: "Molina Healthcare was recent- ly informed of a security vulnerability in one of its systems and immediately addressed the issue. Out of an abundance of caution, the company has taken its ePortal system offline. We are in the process of conducting an internal investigation to determine the impact, if any, to our customers' information and will provide any applicable noti- fications to customers and/or regulatory author- ities. Protecting our members' information is of utmost importance to Molina. Molina's IT team, along with third party experts, are constantly testing and verifying our systems' security." 4. Molina Healthcare did not specify how many re- cords were exposed. n Children's Mercy Physician Exposes 5.5k Patients' PHI on Unauthorized Website By Jessica Kim Cohen C hildren's Mercy Kansas City (Mo.) on May 19 notified 5,511 patients of an unauthorized disclosure of protected health information. Here are five things to know. 1. The hospital's information security department discovered an unautho- rized website containing information such as patient names, medical record numbers and dates of service. The website was not owned by Children's Mercy or on the hospital's network. 2. The hospital determined a hospital physician had collected the information and used the website "to create an educational resource," according to Chil- dren's Mercy. The physician believed all individual information on the website was inaccessible and password protected. 3. The website's security controls did not meet the hospital's standards for patient information, and Children's Mercy determined storing patient infor- mation on the website violated the institution's policies. 4. Children's Mercy said there is no evidence of any misuse of patient infor- mation; however, the information could have been accessed by unauthorized third parties. The exposed information may have included names, medical record numbers, gender, date of birth, height, weight, dates of service and brief notes. 5. The hospital took down the website upon discovery. Children's Mercy also established a call center and offered free identity theft protection to affected patients. n Study: 82% of Electronic Patient Progress Notes Copied, Imported By Jessica Kim Cohen O nly 18 percent of electronic inpatient progress notes are original entries by clinicians, according to a research letter in JAMA Internal Medicine. Three UC San Francisco physicians — Michael D. Wang, MD, Raman Khanna, MD, and Nader Najafi, MD — analyzed 23,630 inpatient progress notes from an eight-month period in 2016. An Epic EHR system stored the notes, which were written by 460 clinicians including direct care hospitalists, residents and medical students at UCSF Medical Center. The researchers used an EHR tool to identify the source of each character in a signed note. The tool logged which characters were entered manually, im- ported from another source or copy-and-pasted from a previous note. Eighteen percent of the text in a typical note was manually entered, while 36 percent was imported and 46 percent was copied. Residents (51.4 percent) tended to copy more than medical students (49 percent) or direct care hos- pitalists (47.9 percent). "Although we conducted a single-center, single-service analysis, we observed patterns that were consistent with what has been measured in previous stud- ies and what clinicians have observed anecdotally," the study authors wrote. n