← All case studies
Healthcare

PII Leakage via IDOR in Patient Record API

SeverityCRITICAL
IndustryHealthcare
FindingSequential patient IDs in API — any authenticated user could read any other patient's full medical record
MethodManual + automated penetration testing
OutcomeUnauthorized access to Protected Health Information (PHI) for all patients in the database. HIPAA breach notification obligation risk. Patient trust and regulatory exposure. Remediated in 48 hours — object-level authorization implemented on all patient record endpoints, IDs replaced with UUIDs in all API responses.
The finding
Sequential patient IDs in API — any authenticated user could read any other patient's full medical record

Technical detail

During VAPT of a healthcare SaaS platform, ThreatRiX discovered the patient record API used sequential integer IDs: GET /api/patients/1247/records. The API returned the full patient record including name, date of birth, diagnosis codes, medication history, and insurance information.

No object-level authorization check was performed — the API only verified the user was authenticated, not that they were authorized to access that specific patient. By incrementing the ID, any authenticated user (including patients themselves) could read any other patient's complete medical record.

CVSS Score: 8.8 (High). HIPAA violation risk for PHI exposure.

Business impact & resolution
Unauthorized access to Protected Health Information (PHI) for all patients in the database. HIPAA breach notification obligation risk. Patient trust and regulatory exposure. Remediated in 48 hours — object-level authorization implemented on all patient record endpoints, IDs replaced with UUIDs in all API responses.

Remediation

Authorization middleware added to verify the requesting user has an explicit permission record for the requested patient ID before returning any data. Sequential integer IDs replaced with random UUIDs to eliminate enumeration risk even if an authorization check were missed. Audit logging enabled on all patient record access — each read is logged with user ID, patient ID, and timestamp. ThreatRiX retested 47 patient record endpoints and confirmed all now return 403 Forbidden for unauthorized access.

Could this happen to your application?

Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.