Millions of Patient Medical Records Left Unsecured
When a patient signs that long HIPAA form at the doctor’s office, they expect that their personal information will be kept private. That is, after all, the entire point of HIPAA. But a recent investigation by ProPublica found 187 unsecured servers — with no passwords or other basic security procedures — in the United States holding medical data in the United States, for a total of 5 million Americans whose data could have been exposed.
The potential privacy violation was due to the fact that many medical centers simply didn’t secure their servers and data storage when they switched from physical files and photos to digital ones. ProPublica found that security measures varied greatly from institution to institution, with larger hospital chains and academic centers generally having better security, while most of the unsecured data was with independent radiologists, medical imaging centers, or archiving services.
Security researchers point out that while it appears this data was never accessed by cyber criminals, that may be more due to luck than anything else.
It’s not even hacking. It’s walking into an open door,” said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica.
The investigation also pointed out that it’s difficult to say who is to blame for this massive security breach. Technically, under HIPAA, health care providers are required to make sure that their patients’ data is secured. But it’s likely that they believed data storage companies that told them they were securing the data and without a way to independently verify that, believed that they were doing all they needed to do.
Two companies, for example — MobilexUSA and Offsite Image — were exposed by the investigation for having unsecured patient data. Once alerted by ProPublica, however, both companies closed the gaps in their security and launched investigations into what had happened.
This investigation highlights two things that can be done to further secure private medical data. One, every doctor’s office and data storage center needs to make sure that they aren’t on an open Wi-Fi network. While convenient, leaving a Wi-Fi connection open is equivalent to opening your front door and putting all those medical records on the front lawn. Are they definitely going to get stolen? No. But is it much, much, much more likely? Yes.
The other is that the government needs to be stricter about enforcing laws that already exist to regulate the storage of patient files. Joy Pritts, a former HHS privacy official, told ProPublica that the government even recently lowered the fine for “corrected willful neglect” from $1.5 million to $250,000. And a 2016 report from “corrected willful neglect” found that, “Medical-data security has never been soundly built into the clinical data or devices, and is still largely theoretical and does not exist in practice.”
As an increasing number of our tools and institutions go online, it’s essential that security practices are prioritized in addition to ease of access. Next time, the medical industry might not be so lucky.Share this post
Install Tenta Browser Free!
Start protecting your online privacy today with Tenta Browser.