Medical images and health data belonging to millions of Americans -- including X-rays and CT scans -- are unprotected online and able to be seen by anyone with basic computer expertise, a scathing new report published Tuesday found.
According to ProPublica, which worked in partnership with German broadcaster Bayerischer Rundfunk on the investigation, the records covered over 5 million patients in the United States and millions more worldwide. Someone interested in seeing the data or private images could even use free software programs or a standard web browser to view it.
The news outlet found 187 servers -- computers used to store and retrieve medical data -- in the U.S. that were unprotected by basic security measures. These systems were being used in doctors' offices, medical imaging centers and mobile X-ray services.
“It’s not even hacking. It’s walking into an open door,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica.
According to the report, some of the medical providers started to lock down their systems after the media organization contacted them.
The server of U.S. company MobilexUSA displayed the names of over a million patients, all by typing in a simple data query, ProPublica reported. The information apparently included patients' dates of birth, doctors and procedures.
MobilexUSA, which takes mobile X-rays and provides imaging services to hospitals, nursing homes and hospice agencies, reportedly upped its security last week.
“We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation,” MobilexUSA’s parent company told ProPublica in a statement.
The investigation found no evidence that patient data had been copied from these systems and published elsewhere, but one expert cautioned that such actions could be devastating.
“Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people,” Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group, told ProPublica.
There's been an increasing number of data breaches in recent years. In 2015, U.S. health insurer Anthem revealed that the private data of 78 million people had been exposed in a hack.
“What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied” to legacy computer systems, Singh said. “It’s 2019. There’s no reason for this.”