Propublica finds millions of Americans' medical images and data sitting on unprotected, publicly accessible servers

An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients' confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, "available to anyone with basic computer expertise."

Many of these records were exposed by large commercial technology providers that service doctors' offices and clinics, such as Mobilexusa, while others were operated by individual doctors, some of whom never returned Propublica's calls or took any steps to tighten their security prior to publication of the investigation (Mobilexusa "tightened its security" after being alerted by Propublica).

The poor security has multiple causes: insurers write cybersecurity policies without adequate due diligence (in part because the penalties for breaches are generally laughable); medical software companies sell products that assume their customers will provide the security layer, while customers assume that the security comes from those products; the rush to establish electronic health records has yielded up a bonanza of insecure practices that are optimized for improving billings, not health or security; and plain old willful neglect.

To all this, I'd add the proliferation of binding arbitration "agreements" that doctors increasingly require patients to sign as a condition of receiving care (I refuse to sign these, which means that I sometimes have to drive to another city to see a specialist; for example, the only pain specialist I could find who did not require this is at USC's pain clinic, an hour's drive from my home). Read the rest