The medical images and health data of more than five million patients are stored on insecure computer systems that are accessible to "anyone with basic computer expertise," Jack Gillum and his colleagues write for ProPublica.
Investigation finds millions of patients' private data on insecure servers
Some health care data breaches are conducted by sophisticated hackers who exploit obscure weaknesses in an organization's defenses to access private data, but a ProPublica investigation found that, in some cases, private medical data and images are accessible through a typical web browser.
For the investigation, ProPublica worked with the German broadcaster Bayerischer Rundfunk to build on research by a German security firm, Greenbone Networks, that had identified 187 U.S. servers containing patient data unprotected by passwords or other basic security precautions.
According to ProPublica, the investigation revealed that the results of more than 13.7 million U.S. medical tests were available online, including more than 400,000 that included X-rays, CT scans, and other images. ProPublica estimated the data related to more than five million U.S. patients.
ProPublica and Bayerischer Rundfunk also examined IP addresses, which identify a server's location on the internet, to try to determine which medical providers operated the insecure servers.
The investigation found that servers owned by large hospital chains and academic medical centers usually had security protections in place. However, servers owned by radiologists, medical imaging centers, and archiving services were more likely to have insecure data.
According to the investigation, the extent of the data exposure varied by health provider and software.
For instance, the server for MobilexUSA displayed the names, dates of birth, doctors, and procedures of more than one million patients just by typing in a data query. One imaging system for a physician in Los Angeles allowed anyone on the internet to access patients' echocardiograms.
Why insecure patient data matters
According to ProPublica, the recently discovered servers are part of a growing problem of insecure medical records.
"It's not even hacking. It's walking into an open door," said Jackie Singh, a cybersecurity researcher and chief executive for Spyglass Security.
While ProPublica's investigation found no signs that patient data had been improperly accessed or copied from the insecure systems, experts said the consequences of such a breach would be severe.
"Medical records are one of the most important areas for privacy because they're so sensitive," said Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation. "Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people. This is so utterly irresponsible."
Health care providers are legally accountable for securing patient data under U.S. law. According to some experts, the recent exposures of patient data could violate the Health Insurance Portability and Accountability Act (HIPAA).
What providers are doing to secure their systems
ProPublica reached out to the organizations that were found to have insecure systems, providing them with the opportunity to tighten their security.
MobilexUSA, for instance, said it just updated its security earlier this month. "We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation," the company said in a statement.
Offsite Image, which had exposed data related to more than 340,000 human and veterinary records, also fixed their servers after being contacted by ProPublica. "We were just never even aware that there was a possibility that could even happen," said Matthew Nelms, a consultant with Offsite Image.
But many organizations remain vulnerable to inadvertent disclosure, Gillum and colleagues write. Jackie Singh, a cybersecurity researcher and chief executive of Spyglass Security, explained, "What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied" (Gillum, et al., ProPublica, 9/17).