An anonymous reader quotes a report from ProPublica: Medical images and health data belonging to millions of Americans, including X-rays, MRIs, and CT scans, are sitting unprotected on the Internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop could use free software programs — or just a typical Web browser — to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.
We identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers, and mobile X-ray services. The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company’s cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies. The exposed data varied depending on the health provider and the software they use. “For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients — all by typing in a simple data query,” reports ProPublica. “Their dates of birth, doctors, and procedures were also included.”
“Another imaging system, tied to a physician in Los Angeles, allowed anyone on the Internet to see his patients’ echocardiograms,” the report adds. “All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers.”
The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.