Some servers with medical data in the US aren’t even protected by a password.
If you’ve ever visited a private medical clinic, your records could be at risk. A new joint investigation published by ProPublica and German broadcaster Bayerischer Rundfunk found that the medical data of some 5 million patients in the US is easily obtainable with free software or just a simple web browser.
The publication identified at least 187 medical servers across the US that weren’t protected by a password, let alone other modern cybersecurity measures. Moreover, many of those same servers were running outdated software, making them vulnerable to a variety of known exploits. In all, ProPublica estimates that some 13.7 million medical tests and 400,000 x-rays for patients in the US could be easily accessed by malicious individuals. “It’s not even hacking. It’s walking into an open door,” cybersecurity researcher Jackie Singh said to ProPublica.
In some instances, the data included not only the name and birthday of the patient but their social security number as well. ProPublica didn’t find evidence that the records were accessed and copied elsewhere, but the number of vulnerable servers highlights a glaring oversight by the medical industry.
As the publication notes, the oversight likely represents a breach of the federal government’s Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996, the act governs the handling of sensitive data. One issue is that the act doesn’t provide much guidance on how the industry is supposed to protect data it stores on computers. Some of the clinics ProPublica contacted about their servers tightened their security after the fact, but it’ll likely be a while before most servers are properly protected.