Your Personal Medical Images Can Be Made Public on the Internet
X-rays and other medical images should be kept confidential as they are part of your medical records. But a recent ProPublica investigation found that patient images are just surfing the Internet to be viewed.
This doesn’t sound like a data breach, it’s just an IT carelessness. If the images are on a server and there is no password or other authentication required to access those images, anyone with knowledge of that server could theoretically upload your data. ProPublica reports: “In total, medical data from more than 16 million scans worldwide have been made available online, including names, dates of birth and, in some cases, social security numbers.”
How can we protect our data? It turns out that not everything is so simple. ProPublica does not tell us how to search for the images they find, for obvious privacy reasons. Here’s the advice they give:
If you had a medical imaging scan (such as X-rays, CT scans, MRIs, ultrasounds, etc.), Ask the health care provider who performed the scan or your doctor if a username and password is required to access your images … Ask your doctor if their office or medical imaging provider they are referring patients to has regular HIPAA safety assessments.
Unfortunately, one question may not be enough. ProPublica says one ISP they contacted said their data was password protected, but it wasn’t. After that, they blocked the servers, but it is difficult to imagine how an individual patient could verify whether their data was indeed protected.
ProPublica also says large hospital systems tend to protect their patient data and that problems tend to be with “independent radiologists, medical imaging centers, or archiving services.” Regardless of who takes your pictures, the provider or his hospital system is responsible for their privacy.