Medical record privacy can seem like a difficult balance. On the one hand, you don’t want health data like X-rays, MRIs, and CT scans to fall into the wrong hands. On the other hand, if you’re being referred from one doctor to another, you may want your new doctor to have access to your medical history without dragging a huge file from one office to the next.
Either way, the last thing you want is your private medical information, which is only on a server, “unprotected by passwords or basic security precautions” and freely visible to anyone with a typical web browser. However, a recent ProPublica research found that the diagnostic images of approximately 5 million American patients are stored in such a state despite repeated warnings from security analysts.
ProPublica, together with the German broadcaster Bayerischer Rundfunk, identified 187 computer servers on which the medical data of US and international patients are stored, “which sit unprotected on the Internet and are available to anyone with basic computer skills”:
The insecure servers we have discovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more notorious security breaches of recent times in which hackers bypassed a company’s cyber defenses, these records were often stored on servers that lacked the security safeguards that long ago became standard for businesses and government agencies.
According to the research, more than 16 million scans were available online worldwide – some of them after entering a simple data query – many of them paired with patient names, dates of birth and even social security numbers.
“It’s not even hacking,” said cybersecurity researcher and general manager of consulting firm Spyglass Security Jackie Singh. “It goes into an open door.”
Hungry, Hungry HIPAA?
So what can you do if you think your x-rays and other medical images are online? Probably very little, although the Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare providers keep your personal information confidential and secure, ProPublica’s report describes several companies (from doctors to hospitals to radiologists) holding the finger point to each other and use a “patch after patch” to resolve the problem. Investigators also found few ramifications for HIPAA violations.
However, if you can demonstrate that your private medical information has been publicly compromised, you may have a legal claim under HIPAA. Contact an experienced healthcare attorney to discuss your claims.