LifePoint Informatics Patient Portal

Monitor6.5ICS-CERT ICSMA-22-095-01Apr 5, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A flaw in LifePoint Informatics Patient Portal versions prior to 3.5.15 allows authenticated users to access sensitive patient information beyond their authorization level. The vulnerability stems from insufficient access controls, permitting a user with valid portal credentials to disclose HIPAA-protected personally identifiable information (PII). LifePoint Informatics deployed the fix (version LPI 3.5.15) in February 2022 as a hosted service update; organizations do not need to perform manual patching.

What this means

What could happen

An attacker with valid portal login credentials could access sensitive patient information including HIPAA-protected personally identifiable information (PII). This is a hosted service, so most organizations are already protected by vendor updates deployed in February 2022.

Who's at risk

Healthcare organizations using LifePoint Informatics Patient Portal, particularly staff who manage patient-facing web access and IT administrators responsible for healthcare information systems. Patient Portal is a web-based application used by healthcare facilities to provide patient access to medical records and appointment information.

How it could be exploited

An attacker with valid LifePoint Informatics Patient Portal credentials (such as a compromised staff account or stolen user password) can authenticate to the portal and extract sensitive patient data without authorization. The vulnerability likely stems from insufficient access controls that fail to verify the attacker's authorization to view specific patient records.

Prerequisites

Valid Patient Portal login credentials (username/password)
Network access to the Patient Portal interface
Knowledge of or ability to enumerate patient record identifiers

Remotely exploitableRequires valid authentication credentialsLow attack complexityAffects sensitive healthcare data (HIPAA PII)No public exploits known

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Patient Portal:LPI 3.5.12.P30LPI 3.5.15

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGEnable and review access logs for the Patient Portal to detect unauthorized data access attempts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXVerify that your LifePoint Informatics Patient Portal instance is running version LPI 3.5.15 or later (deployed in February 2022)

Long-term hardening

0/2

HARDENINGRestrict network access to the Patient Portal to authorized users only using firewall rules and VPN enforcement

HARDENINGImplement multi-factor authentication (MFA) on all Patient Portal accounts to reduce the risk of credential compromise

CVEs (1)

CVE-2022-1067

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16660519-6ab6-4828-ac8e-15f34d826431