Digital Health Platform
Annual penetration test and HIPAA technical safeguards review for a Series-B telehealth platform handling PHI for over half a million patients.
Surfaced an IDOR vulnerability exposing patient documents across tenant boundaries, a session-fixation flaw in the provider portal, and several gaps in audit logging required by §164.312. All remediated; engagement results supported the client's SOC 2 Type II audit.
The client operates a telehealth platform that connects patients to licensed providers across 30+ U.S. states. PHI flows through a multi-tenant SaaS architecture with provider, patient, and admin portals, plus a partner API used by health systems.
Our scope covered the three web portals, the partner API, and the technical safeguards listed in the HIPAA Security Rule (§164.312). We tested manually, focused on cross-tenant boundaries, and validated audit-log completeness against a defined set of regulated events.
The standout finding was an indirect-object-reference vulnerability in the document download endpoint that, with a valid patient session, allowed access to documents belonging to patients in other tenants. We demonstrated full impact, recommended a tenant-aware authorization middleware, and re-tested the fix end-to-end.
The final report was used directly by the client's compliance team as an artifact for their SOC 2 Type II audit cycle.