During VAPT of a healthcare SaaS platform, ThreatRiX discovered the patient record API used sequential integer IDs: GET /api/patients/1247/records. The API returned the full patient record including name, date of birth, diagnosis codes, medication history, and insurance information.
No object-level authorization check was performed — the API only verified the user was authenticated, not that they were authorized to access that specific patient. By incrementing the ID, any authenticated user (including patients themselves) could read any other patient's complete medical record.
CVSS Score: 8.8 (High). HIPAA violation risk for PHI exposure.
Authorization middleware added to verify the requesting user has an explicit permission record for the requested patient ID before returning any data. Sequential integer IDs replaced with random UUIDs to eliminate enumeration risk even if an authorization check were missed. Audit logging enabled on all patient record access — each read is logged with user ID, patient ID, and timestamp. ThreatRiX retested 47 patient record endpoints and confirmed all now return 403 Forbidden for unauthorized access.
Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.