The medical images and health data of millions of Americans, including X-rays, MRIs and CT scans, have been discovered on unsecured servers.
The records cover over 5m patients in the US as well as millions more around the world and in some cases, these images and private data can be viewed by anyone with access to a web browser.
An investigation carried out by ProPublica and the German broadcaster Bayerischer Rundfunk identified 187 servers in the US that were not protected by passwords or basic security precautions. Unlike other recent high-profile data breaches, these records were stored on servers which lacked the security precautions that are typically employed by businesses and government agencies.
ProPublica found that the extent of the exposure varies by health provider as well as by the medical record software they use. For example, the server of the US company MobilexUSA displayed the names, dates of birth, doctors and procedures of more than a million patients and all of this information was accessible by entering a simple data query. The company has since improved its security after being alerted by ProPublica.
Unsecured medical data
In total, medical data from over 16m scans worldwide was available online and this data included names, birth dates and in some cases, Social Security numbers.
However, pointing the blame and the party responsible has been difficult for experts. Under US law, healthcare providers and their business associates are legally accountable for securing the privacy of patient data. According to several experts, exposing patient data the way these companies did could violate the Health Insurance Portability and Accountability Act (HIPAA).
Thankfully, ProPublica found no evidence that the exposed patient data was copied from these systems and published elsewhere but still, the consequences of unauthorized access to this kind of information could be devastating.
The nonprofit organization’s investigation showed that large hospital chains and academic medical centers did put the necessary security protections in place to protect their data. However, independent radiologists, medical imaging centers and archiving services failed to protect the data that was in their care.