| September 26, 2019

ProPublica report: Americans’ health data is readily available online

Marina Turea

Marina is passionate about all emerging technologies in the healthcare space and love to write about all of them. Marina is passionate about all emerging technologies in the healthcare space and love to write about all of them.

A ProPublica report has revealed that hundreds of computer servers worldwide are so insecure that anyone with a web browser and knowledge of computer code could patient data, including images.

The nonprofit newsroom revealed that patient records including X-rays, MRIs, and CT scans were all easily accessible to anyone with basic computer knowledge.

The vulnerable records cover more than 5 million American patients and millions more around the world, some of which could be seen using just a typical web browser or free downloadable program.

ProPublica and the German broadcaster Bayerischer Rundfunk identified 187 servers that were not even covered by basic passwords or security, adding to the growing number of patient records left compromised in recent years.

 

The two companies also scanned Internet Protocol (IP)  addresses TO identify as many of the culprit medical providers as possible.

Cybersecurity researcher and chief executive of the consulting firm Spyglass Security Jackie Singh told ProPublica: “It’s not even hacking. It’s walking into an open door.”

Many medical providers were not even aware of how easy it was for anyone to access their records and began locking down their systems once knowledge of the report became apparent.

The report found that the level of data exposure varied depending on the healthcare provider and the software used to store patient records.

MobilexUSA’s server reportedly displayed the names, dates of birth, doctors, and procedures of more than a million patients following a simple search query. The company tightened its security procedures after the investigation team broke the news.

The parent company of MobilexUSA released a statement shortly after, which read: “We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation.”

The system of a Los Angeles physician even allowed anyone with an internet connection to view the echocardiograms of his patients.

Altogether, data from more than 16 million medical scans across the world were easily accessible online at the time of the investigation, which, in some cases, included the Social Security numbers of patients.

13.7 million medical tests were available online for public viewing, and more than 400,000 X-Rays and medical images could be downloaded by the average computer user.

While the report found that large hospital chains and academic medical centers did have security protections in place, independent radiologists, medical imaging centers or archiving services were the most under-fire.

Healthcare providers and their business associates are legally responsible for protecting patient data. Experts have told ProPublica that the exposure of this data could even violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure.

Security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group, Cooper Quintin said: “Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people.

“This is so utterly irresponsible.”

The report does note, however, that there was no sign that any of the patient data found was copied from systems and published elsewhere.

Director of medical analytics at Massachusetts General Hospital’s radiology department, Oleg Pianykh, has been trying to warn healthcare providers about how they handle patient data for years.

He even published a research report in 2016 on mapping digital radiology adoption and security worldwide.

He said medical imaging had been shared in such a way where providers believe data is secured by the customer’s computer security systems.

However, when records began to be uploaded onto the internet and systems became more complex, the responsibility for those records shifted into the hands of network administrators – who assumed safety precautions were already in place.

While is it now easier for doctors across the world to view patient data on a computer screen, it is also easier than ever for the data to get into the wrong hands.

Denver-based Offsite Image, a system used to archive medical images, was found to display the names and other details of more than 340,000 human and veterinary records to Pro Publica without much effort from the investigations team.

An executive from the company told ProPublica the company charges clients $50 for site access and a further $1 per study. Offsite Image’s website reads ‘Your data is safe and secure with us’.

The company’s tech consultant  Matthew Nelms told Pro Publica: “We were just never even aware that there was a possibility that could even happen.”

From there on in, Pianykh described medical data security as being a ‘do-it-yourself project’.

A security firm in Germany had also picked up on faults in the system ahead of ProPublica’s report.

Greenbone Networks found problems in at least 52 countries on every inhabited continent, discovering that patient records were at risk. The findings were passed onto Pro Publica to investigate the extent of the problem in the US.

The report was shared with officials from the Medical Imaging & Technology Alliance, the group that oversees the standard of keeping patient data. They laid the blame on those who were running the servers.

In a statement, the organization said: “Even though it is a comparatively small number, it may be possible that some of those systems may contain patient records.

“Those likely represent bad configuration choices on the part of those operating those systems.”

It isn’t the first time private data breaches have been in the headlines, either. In 2015, U.S. health insurer Anthem Inc. revealed that a hacker had accessed private data belonging to more than 78 million people.

Analysis of records from the U.S. Department of Health and Human Services has found that more than 40 million people have had their medical data compromised in the last two years alone.

A spokeswoman for HHS’ Office for Civil Rights, which enforces HIPAA violations, said it would refuse to comment on any open or potential investigations.

Jackie Singh had the final comment on the report. She pointed out it is a ‘shared responsibility’ for manufacturers, standards makers and hospitals to ensure computer servers holding patient data are secured.

“It’s 2019,” she said. “There’s no reason for this.”

READ
Trump administration set to reject visas for US immigrants who cannot pay for medical costs

Like what you just read? Share this article with your network and friends.

Advertise Here

And reach 150,000 healthcare professionals getting their industry news on HealthcareWeekly.com every month.

Advertise Here

And reach 150,000 healthcare professionals getting their industry news on HealthcareWeekly.com every month.

Healthcare Weekly Newsletter

Get the latest in healthcare leadership, news, and innovation.

We don’t share your contact information with any 3rd party

Contact us

Get in touch to learn how we can help

Name

Work Email

Message

Contact us

Get in touch to learn how we can help

Name

Work Email

Message

Thank you for contacting Healthcare Weekly.

We will get in touch with you shortly.