Medical images, aside from often including at least your name and date of birth, can be useful for cybercriminals to build a convincing health profile of a real person that can be used to file false claims.
A savvy cybercriminal could, for example, manipulate your scan images to show a tumor and fraudulently bill your insurance company for cancer that you don’t have. With the addition of a scan that looks legitimate, the fraud is even more difficult to detect.
The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.
A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password.
These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.
Some of the largest hospitals and imaging centers in the United States are the biggest culprits of exposing medical data. Schrader said the exposed data puts patients at risk of becoming “perfect victims for medical insurance fraud.”
Unsecured Medical Images Are an Underrated Threat to Patients
What We Know About Medical Image Security
ProPublica reported in September that images from more than 24 million medical exams were left unprotected on the internet. Unlike a hack or intentional security breach, these medical images — which often include name, date of birth and sometimes social security number — lacked basic digital security protection. Any internet user could easily access the images if they know where to look without even a password.
TechCrunch security editor Zack Whittaker explained that since September, the problem has gotten worse, not better. More than 1 billion scan images from over 35 million patient exams are now exposed on the internet worldwide. TechCrunch and security firm Greenbone Networks made multiple attempts to alert the imaging centers exposing the most patient data to tighten security. So far, they haven’t gotten much response, leaving millions of unsuspecting patients vulnerable to medical identity theft and insurance fraud.
Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web.
More than half of victims will spend an average of $13,500 to sort out the damage from medical identity theft, which often requires hiring a lawyer.
When a doctor or radiology office doesn’t take steps to protect patient data online, which they are mandated to do by HIPAA, they open themselves up to fines from the U.S. Health and Human Services’ Office of Civil Rights. The impact of data security issues on patient welfare — and a doctor’s ability to provide treatment — goes further.
A lack of trust in a provider’s ability to keep data confidential also means patients are less willing to disclose pertinent health information during appointments.