Propublica finds millions of Americans’ medical images and data sitting on unprotected, publicly accessible servers

An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients’ confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, “available to anyone with basic computer expertise.”

Many of these records were exposed by large commercial technology providers that service doctors’ offices and clinics, such as Mobilexusa, while others were operated by individual doctors, some of whom never returned Propublica’s calls or took any steps to tighten their security prior to publication of the investigation (Mobilexusa “tightened its security” after being alerted by Propublica).

The poor security has multiple causes: insurers write cybersecurity policies without adequate due diligence (in part because the penalties for breaches are generally laughable); medical software companies sell products that assume their customers will provide the security layer, while customers assume that the security comes from those products; the rush to establish electronic health records has yielded up a bonanza of insecure practices that are optimized for improving billings, not health or security; and plain old willful neglect.

To all this, I’d add the proliferation of binding arbitration “agreements” that doctors increasingly require patients to sign as a condition of receiving care (I refuse to sign these, which means that I sometimes have to drive to another city to see a specialist; for example, the only pain specialist I could find who did not require this is at USC’s pain clinic, an hour’s drive from my home). These agreements force you to surrender your right to full legal redress if your doctor or their administrative practices harm you: under these conditions, it’s “economically rational” for doctors to underinvest in security, because the penalties for failure are reduced to laughable wrist-slaps from tame “arbitrators” in the pay of the doctor.

We found that some systems used to archive medical images also lacked security precautions. Denver-based Offsite Image left open the names and other details of more than 340,000 human and veterinary records, including those of a large cat named “Marshmellow,” ProPublica found. An Offsite Image executive told ProPublica the company charges clients $50 for access to the site and then $1 per study. “Your data is safe and secure with us,” Offsite Image’s website says.

The company referred ProPublica to its tech consultant, who at first defended Offsite Image’s security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged Offsite Image’s servers had been accessible but were now fixed.

“We were just never even aware that there was a possibility that could even happen,” Nelms said.

Millions of Americans’ medical images and data are available on the Internet [Jack Gillum, Jeff Kao, and Jeff Larson/Arstechinca/ProPublica]

(Image: Ptrump16, CC BY-SA)