Unprotected patient data in the Internet – a review 60 days later, or The Good, the Bad, and the Ugly
A report by Greenbone Networks in September about the leak of medical images online made waves — including spurring Senator Warner to ask HHS OCR what it was doing in response to the report.
Today, Greenbone reached out to a number of sites to alert us all to an update to their report.
From their executive summary:
After our initial measuring of the depth and breadth of data leaking PACS servers across the globe, we wanted to follow a good, standard information security practice: CONTROL. We were interested to see what – if any – has changed to what extent and decided to do this 60 days after the initial research, as this is the timeline given by the US Department of Health & Human Service for Medical Service Providers to report a major breach affecting 500 or more individuals. The results are mixed, some provide hope that the issue is taken seriously, some other destroy that hope right away.
The overall numbers for studies and images have risen to a staggering level, with studies amounting to 35 million and related images to 1,193,404,000, that is 1.19 billion images, (compared to 24.5 million studies and 737 million images in previous report).
In the following chapters, we sort the affected countries into three groups, which we call
• the “Good”
• the “Bad”, and
• the “Ugly”.
Specially the five countries belonging to the “Ugly” group need immediate attention by their respective Governments (i.e. federal or state-level DPO). Their combined number of datasets represents more than 75% of the full data set scrutinized.
During the initial research and report, we learned a lot and tuned our technology, so that we identified more PACS servers in the base set of IP addresses and added them to the count. For systems which have disappeared, their former count isn’t part of our current calculation anymore.
The highlights for interesting pieces of data and conclusions are:
- 129 new archiving systems found, and 172 went off grid
- 11 countries managed to take all PACS system off the public Internet, and nine ‘new’ countries got added to the overall data.
- USA and Ecuador have largely increased numbers of studies, PII, and images accessible.
- One system in the US is the largest so far (from an accessible image count perspective) and
contains SSN’s for approx. 250,000 individual US citizens.
- Indications exist that Turkish PACS servers contain scans of Turkish National ID cards, accessible from the public Internet.
- One archive contains data from US army hospitals, where the patient IDs appears to be the DoD ID.
- Proper controls, like those mandated by HIPAA in the US are largely missing
- The potential financial risk related to Medical Identify Theft is amounting to $ 5.3 billion
We stated before that the information held by all the servers we found is covered by laws and regulations of the various countries and regions, like GDPR in Europe, HIPAA in the US and others.
- South Africa: Protection of Personal Information Act (POPI Act)
- Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD
- India: Information Technology Act 2000, Data Privacy Rules
It is sort of telling that as of NOV 12, 2019, we haven’t seen any reporting of specific PACS systems allowing access from the public Internet in the data breach list provided by HHS. We will continue to
monitor the list, with a special eye on the companies owning and operating those large systems as they state full HIPAA compliance in their annual reports.