Patient data from millions of medical images exposed online

September 20, 2019
Medicare Web

Data such as patient names, birthdates, and Social Security numbers from more than 16 million medical images of patients worldwide are unprotected on the Internet, according to a report by ProPublica and Bayerischer Rundfunk, a German broadcaster.

The investigation found that computer servers storing medical images, including x-rays, magnetic resonance images, and computed tomography scans, did not use basic security measures such as passwords. In the U.S. alone, 187 servers used by physicians, medical imaging centers, and mobile x-ray services were unsecure, leaving the data of more than five million Americans vulnerable.

In one instance, the server of a mobile x-ray company revealed the names, birthdates, doctors, and procedures of more than one million patients, ProPublica reported. In another case, an imaging system used by a physician permitted access to his patients’ echocardiograms.

The report unveiled a stunning lack of cybersecurity.

“It’s not even hacking. It’s walking into an open door,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica.

Experts consulted by ProPublica said that failing to protect the privacy of medical images may violate HIPAA, though it’s unclear who’s ultimately responsible.

Regardless, the exposure of medical data is damaging to consumers. “Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people,” Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, told ProPublica. “This is so utterly irresponsible.”

Related Topics: 
HIM/HIPAA, HIPAA