The privacy of medical records can seem like a tough balance. On the one hand, you don’t want health data like X-rays, MRIs, and CT scans falling into the wrong hands. On the other, if you’re referred from one doctor to another, you might want your new physician to have access to your medical history without lugging an enormous file from one office to the next.
In any event, the last thing you want is your private medical information just sitting on a server, "unprotected by passwords or basic security precautions," free to be seen by anyone with a typical web browser. But a recent ProPublica investigation found that the diagnostic imagery of some 5 million American patients are being stored in such a state, despite repeated warnings from security analysts.
ProPublica, along with German broadcaster Bayerischer Rundfunk, identified 187 computer servers storing medical data of both U.S. and international patients, "sitting unprotected on the internet and available to anyone with basic computer expertise":
The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company’s cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies.
According to the investigation, more than 16 million scans worldwide were available online — some viewable after typing in a simple data query — many paired with patient names, birthdates and even Social Security numbers.
"It’s not even hacking, said cybersecurity researcher and chief executive of the consulting firm Spyglass Security Jackie Singh. "It’s walking into an open door."
Hungry, Hungry HIPAA?
So, what can you do if you think your X-rays and other medical images are online? Likely very little, although the Health Insurance Portability and Accountability Act (HIPAA) mandates that health care providers to keep your personal data confidential and secure, ProPublica’s report describes several entities (from doctors, to hospitals, to radiologists) pointing the finger at each other and a "Band-Aid upon Band-Aid applied" to try and solve the problem. Investigators also found few consequences for HIPAA violators.
Still, if you can prove that your private medical information has been publicly compromised, you may have a legal claim under HIPAA. Contact an experienced health care attorney to discuss your claims.