IDOR on Patient Records — Healthcare SaaS Platform
A telehealth platform handling protected health information (ePHI) engaged us for a HIPAA §164.308(a)(8) technical evaluation ahead of a payer contract that required a compliance audit. Their scanner had found zero critical issues two months prior.
What We Found
The patient record API used sequential integer IDs with no object-level authorization check. Authenticated users could access any patient record by incrementing the patient_id parameter — regardless of whether that patient was assigned to their account.
We validated access to 847 test records across 3 user accounts without triggering any rate limiting, alerting, or access denial. A real attacker with one valid account could enumerate the entire patient database.
HIPAA Impact
Unauthenticated access to ePHI constitutes a reportable breach under HIPAA. OCR investigations for similar violations have resulted in settlements ranging from $100K to $1.9M. The payer audit would have failed immediately on CC6.1.
Attack Chain
Login as low-privilege user → enumerate patient IDs via API endpoint GET /api/v2/patients/{id} → access full name, DOB, diagnosis codes, and insurance information for any patient → no rate limiting, no alerting triggered.
Remediation
Implement server-side authorization check on every patient record request: verify the requesting user has an active care relationship with the requested patient_id before returning data. Add request logging and alerting on cross-account access patterns. Retest confirmed fix in 3 days.