The medical records of millions of consumers who visited private medical clinics in the U.S. are sitting in servers unprotected by passwords, according to a new investigation by ProPublica.
The vulnerable data includes names, birthdates, physicians and procedures, and even Social Security numbers in some instances. All told, medical records belonging to five million patients in the U.S. were being housed on 187 servers that were found to be lacking sufficient security protections.
ProPublica, which conducted its investigation along with German broadcaster Bayerischer Rundfunk, said “anyone with basic computer expertise” could access the information online.
"It's not even hacking. It's walking into an open door," cybersecurity researcher Jackie Singh told ProPublica.
No evidence of exploits
The publication, which describes itself as a “nonprofit newsroom that investigates abuses of power,” said it found no evidence that insecure patient data had been taken and published elsewhere -- but if it were to be accessed by cybercriminals, the consequences could be “devastating.”
“Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people,” Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group, said to ProPublica.
That said, many of the companies investigated ramped up their security measures after being alerted to the findings.
Need for better security
The researchers found that many of the servers were running outdated software, leaving them vulnerable to exploits.
“Experts say it's hard to pinpoint who's to blame for the failure to protect the privacy of medical images,” ProPublica wrote. “Under US law, health care providers and their business associates are legally accountable for securing the privacy of patient data. Several experts said such exposure of patient data could violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans' health data confidential and secure.”
Rehan Bashir, managing security consultant at Synopsis, told SCMagazine that many medical offices don’t use secure virtual private networks (VPNs) for remote access. In instances where office staff members use easy-to-guess passwords, the security of patient data is put at risk.
Bashir added that large healthcare facilities often have the money to pay for “dedicated IT staff to manage their systems and to implement security controls.” However, “smaller providers generally don’t and thus are more vulnerable to healthcare data breaches.”
Just last month, hundreds of dentist offices across the U.S. were hit by a malware attack that exposed patient records. The affected offices had been using free, third-party software that “unfortunately was vulnerable, and that created the cascading effect that basically encrypted the data for over 400 clinics," Alex Zlatin, CEO of Maxim Software Systems, told KMOX.