The privacy of medical records can seem like a difficult balance. On the one hand, you don't want health data such as X-rays, MRIs, and CT scans to get into the wrong hands. On the other hand, if you are transferred from one doctor to another, you may want your new doctor to have access to your medical history without having to carry a huge file from one office to another.
In any case, the last thing you want is your private medical information, which is only on one server, "unprotected by passwords or basic security measures" and is freely visible to anyone with a typical web browser. However, a recent ProPublica survey found that the diagnostic images of approximately 5 million American patients are saved in such a state despite repeated warnings from security analysts.
Together with the German broadcaster Bayerischer Rundfunk, ProPublica identified 187 computer servers on which medical data from US and international patients are stored, "which are unprotected on the Internet and are available to everyone with basic computer skills":
The insecure servers we've discovered complement a growing list of medical record systems that have been compromised in recent years. Unlike some of the more notorious recent security breaches where hackers circumvented a company's cyber defense, these records were often stored on servers that lacked the security precautions that had long become standard for businesses and government agencies.
According to the study, more than 16 million scans were available online worldwide – some of them visible after entering a simple data query – many of them paired with patient names, birth dates and even social security numbers.
"It's not even hacking," said cyber security researcher and executive director of consulting firm Spyglass Security Jackie Singh. "It's going to an open door."
Hungry, hungry HIPAA?
So what can you do if you think your x-rays and other medical images are online? Probably very little, although the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to keep your personal information confidential and secure, ProPublica's report describes several companies (from doctors to hospitals to radiologists) fingering the finger point at each other and a "patch applied after patch" to solve the problem. Investigators also found few consequences for HIPAA violations.
However, if you can prove that your private medical information has been publicly compromised, you may have a legal claim under HIPAA. Contact an experienced healthcare lawyer to discuss your claims.