Health data, X-rays and other medical imaging of millions of Americans have been uploaded to open servers online – and those records are vulnerable for just about anyone to see, a report reveals.
A ProPublica and Bayerischer Rundfunk investigation found that doctors’ offices across the US store the medical data of more than five million patients on servers that are virtually unprotected.
Some of the servers don’t even have passwords.
While hacks of medical and financial data have caused alarm for many Americans in recent years, no computer skill is even required to access these deeply private images and data.
This scan is one of some 16 million medical images a ProPublica investigation of servers used by doctors offices found online and unprotected by cybersecurity measures (identifying information removed by ProPublica)
‘It’s not even hacking. It’s walking into an open door,’ Jakie Singh, CEO of the cybersecurity firm, Spyglass Security, told ProPublica.
The investigation uncovered 187 deeply very vulnerable servers used by doctors’ offices to store medical data online.
Often without so much as a simple password to protect information, investigators were able to find 16 million medical image scans, full names, birth dates and Social Security numbers.
One server company, MobilexUSA revealed full names in response to a single simple search, like you might type into Google.
Healthcare data is supposed to be kept private and confidential between a provider and patient, under the 1996 Health Insurance Portability and Accountability Act (HIPPA).
Medical information can be used to steal identities, a financial vulnerability, and could be used as a basis of discrimination.
For example, echocardiograms, which show how well the heart is functioning, were sitting vulnerable on a server used by a Los Angeles-based doctor.
If one of those patients had imperfect heart function and was applying for a job that involved some physical activity, an employer who saw their private medical data might illegally deny the patient the job.
‘Medical records are one of the most important areas for privacy because they’re so sensitive,’ Cooper Qhintin, a technologist at the digital rights advocacy group Electronic Frontier Foundation, told ProPublica.
‘Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people.’
So far as the ProPublica investigation could has uncovered, the medical data and images haven’t been published anywhere else, suggesting that hackers or those with bad intentions had not yet found or taken advantage of the private medical data.
But there has been nothing stopping them from doing so.
Doctors are legally responsible for the protection of patients’ confidential data, but so are the companies and individuals that they contract with.
So it’s unclear who would bear the responsibility for this massive exposure.
Although major hospitals used some of the same servers, they had imposed better privacy and security protocols to protect patient data.
Small, private or independent radiologists were the most common starting point in the series of security failures.
The group responsible for creating and maintaining the professional standard for digitally storing and protecting medical images, the Medical Imaging and Technology Alliance seemed quite ready to pass the buck to these individuals.
According to a statement the group released, some 700 servers used by people in the medical profession operate using an ‘open connection’.
‘Even though it is a comparatively small number, it may be possible that some of these systems may contain patient records,’ they wrote.
‘Those likely represent bad configuration choices on the part of those operating those systems.’
In other words, if someone from these medical offices had set up their server connection differently, they could have imposed security measures to keep patient data private.
However, the medical industry is rather notorious for lagging behind when it comes to non-medical technology.
And out of harried attempt to catch up or to to plug any holes in the often outdated or out of sync systems medical offices use, new problems often arise.
‘What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied’ said Singh.
But that doesn’t mean the industry or tech companies that contract with medical offices should be off the hook.
‘It’s 2019. There’s no reason for this,’ she told ProPublica.