Medical images and related data for more than 5 million patients in the U.S. are publicly accessible on the internet, according to an investigative report published online September 17 by nonprofit journalism organization ProPublica and German public broadcaster Bayerischer Rundfunk.
The investigation by ProPublica and Bayerischer Rundfunk in collaboration with German security firm Greenbone Networks revealed that data from more than 13.7 million imaging studies performed in the U.S. were available online and could be accessed via a web browser or free software programs. Of these, the actual images from more than 400,000 cases could be downloaded. Worldwide, medical data for more than 16 million imaging exams are available online, including patient names, birth dates, and, in some cases, Social Security numbers, according to the organizations.
ProPublica's investigation grew from an initial analysis by Greenbone Networks, which had identified image access security problems in at least 52 countries on every inhabited continent. Greenbone shared its findings with Bayerischer Rundfunk, which then approached ProPublica to assess the extent of the problem in the U.S.
ProPublica reported that Dirk Schrader of Greenbone identified 187 servers in the U.S. that were left unprotected -- with no passwords or basic security precautions. They also found five such open servers in Germany. ProPublica and Bayerischer Rundfunk scanned these servers' Internet Protocol addresses and attempted to identify which medical provider they belonged to. ProPublica said it then independently determined how many patients could be affected.
They also found that some servers were running outdated operating systems with known security vulnerabilities. The organizations reported that most cases of unprotected data involved independent radiologists, medical imaging centers, or archiving services; large hospital chains and academic medical centers had security protections in place.
In some good news, ProPublica did not find any evidence that patient data had been copied from the open systems and published elsewhere. Furthermore, some providers -- including mobile imaging services firm MobilexUSA and image archiving firm Offsite Image -- tightened their security after being informed by ProPublica of their findings, according to the news organization.
The problem of unsecured image storage isn't new or unknown, however, in the radiology community. At the 2017 RSNA meeting, Oleg Pianykh, PhD, of Massachusetts General Hospital in Boston reported that nearly 3,000 DICOM servers worldwide were open and unsecured against external data access. What's more, 25% of the unprotected DICOM servers were fully open to DICOM communication with outside computers.
He shared similar findings at RSNA 2016, as well as at the 2016 European Congress of Radiology (ECR) and ECR 2015.