I REALLY hope none of my fellow USAians use True Health Diagnostics for medical services

[thewayne]

According to the web site, "True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site."  They had a VERY serious flaw in the way their web site allowed you to display your information: your personal account was an incrementing number, and while viewing your information, you could change the number in your browser and view someone else's information.

Can you spell HIPAA violation?  I knew you could.

I can't believe someone would allow crap like this to continue in this day and age.  I remember a certain credit card company, it might have been Citi, had the exact same company upwards of a decade ago.  Completely inexcusable.  And looking at the account number of the person who tipped Brian Krebs to the problem, they have perhaps two million customers.  Not good.

The flaw has been (supposedly) fixed, they're now in the phase of trying to figure out how many people's information may have been accessed and doing notification.

https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

Comments

[elayna]

I have lost track of the crap that I cannot believe people let continue in this day and age. Or the scams that businesses try to pull or the carelessness they think won't be noticed.

[thewayne]

It is ever so much worse than that. Restaurants are getting phished by managers receiving emails from "law firms" informing them that they're getting sued and that this is a copy of the suit that they have to respond to, ignoring the fact that suits have to be delivered by a process server and must be signed for and are usually delivered to the corporation's legal consul.

You'll love my forthcoming post on SS7 hacking.