The investigation revealed that there are 187 servers containing medical data in the US that are unprotected by passwords.
The servers identified by ProPublica and Bayerischer Rundfunk were utilized in medical-imaging facilities, mobile X-ray services and doctors’ offices all across the US, from Florida to California. Examples of leaked data include names, birth dates and even social security numbers.
According to ProPublica, the “extent of exposure” among patients varied depending on the software used and the health care provider.
“For instance, the server of US company MobilexUSA displayed the names of more than a million patients - all by typing in a simple data query. Their dates of birth, doctors and procedures were also included,” ProPublica explains in its report.
After being alerted by ProPublica that it was compromising the personal data of its patients, MobilexUSA started an internal investigation last week.
“We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation,” MobilexUSA’s parent company said in a statement obtained by ProPublica.
In another instance, patient echocardiograms taken at a doctor’s office in Los Angeles were publicly available on the internet.
According to ProPublica, patients can ensure that their information is protected by asking their health care providers if their medical imaging scans are accessible only with a username and password. In addition, patients should ask healthcare providers whether they regularly conduct security assessments as required by the Health Insurance Portability and Accountability Act.
On the other hand, medical imaging providers and doctors’ offices should determine if their picture archiving and communication systems servers use what is called the DICOM standard.
DICOM, which stands for Digital Imaging and Communications in Medicines, “is the international standard to transmit, store, retrieve, print, process, and display medical imaging information,” according to its website.
However, further steps are necessary to protect patient privacy, as researchers have found that servers using the DICOM standard “may be at risk if they are connected directly to the internet without a [virtual private network] VPN or firewall, or if access to them does not require a secure password,” ProPublica reports. A VPN allows users to share data across a public network as though they were connected to private networks.