Health – A BILLION medical images are exposed online, doctors ignore warnings.

Medical images, aside from often including at least your name and date of birth, can be useful for cybercriminals to build a convincing health profile of a real person that can be used to file false claims.

#medicalImage #databreach

A savvy cybercriminal could, for example, manipulate your scan images to show a tumor and fraudulently bill your insurance company for cancer that you don’t have. With the addition of a scan that looks legitimate, the fraud is even more difficult to detect.

A billion medical images are exposed online, as doctors ignore warnings

The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.

A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password.

These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.

Some of the largest hospitals and imaging centers in the United States are the biggest culprits of exposing medical data. Schrader said the exposed data puts patients at risk of becoming “perfect victims for medical insurance fraud.”

Unsecured Medical Images Are an Underrated Threat to Patients

https://themighty.com/2020/01/unsecured-medical-image-data-threat-to-patients/

What We Know About Medical Image Security

ProPublica reported in September that images from more than 24 million medical exams were left unprotected on the internet. Unlike a hack or intentional security breach, these medical images — which often include name, date of birth and sometimes social security number — lacked basic digital security protection. Any internet user could easily access the images if they know where to look without even a password.

TechCrunch security editor Zack Whittaker explained that since September, the problem has gotten worse, not better. More than 1 billion scan images from over 35 million patient exams are now exposed on the internet worldwide. TechCrunch and security firm Greenbone Networks made multiple attempts to alert the imaging centers exposing the most patient data to tighten security. So far, they haven’t gotten much response, leaving millions of unsuspecting patients vulnerable to medical identity theft and insurance fraud.

Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web.

More than half of victims will spend an average of $13,500 to sort out the damage from medical identity theft, which often requires hiring a lawyer.

When a doctor or radiology office doesn’t take steps to protect patient data online, which they are mandated to do by HIPAA, they open themselves up to fines from the U.S. Health and Human Services’ Office of Civil Rights. The impact of data security issues on patient welfare — and a doctor’s ability to provide treatment — goes further.

A lack of trust in a provider’s ability to keep data confidential also means patients are less willing to disclose pertinent health information during appointments.

Don’t send medical information via email.

How To Get Copies of Your Medical Records

[ECP] NetHappenings 3/18/19

YOUR HEALTH INFORMATION PRIVACY RIGHTS

HIPPA  

Office for Civil Rights Headquarters
U.S. Department of Health & Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-800-368-1019
TTD Number: 1-800-537-7697

HHS Releases Voluntary Cybersecurity Practices for Health Industry

GDPR, California’s Consumer Privacy Act, and next-generation ransomware and denial of service attacks, a firm’s ability to provide security is also becoming a matter of survival. Put it all together, and many CISOs today exist in environments where they are not understood by business executives and thus are not being included in business initiatives until it is too late and security vulnerabilities expose the enterprise to cyberattacks and compliance violations.

WHO OWNS YOUR MEDICAL RECORDS?

In 2016, more than 100 million Americans have had their electronic medical records hacked from health systems. For example, this June, Banner Health in Phoenix had a breach of 3.7 million electronic medical records.
Many hospitals throughout the country have been held hostage for their health information system by hackers and have had to pay ransom to regain control of their patients’ medical data.

2016 more than 100 million Americans have had their electronic medical records hacked. Each one can be sold for $50.
The Health Insurance Portability and Accountability Act was written 20 years ago, when medical records were kept on paper, and is not applicable to the contemporary digital era.

Moreover, the pervasive selling of our medical data is unchecked, with no legal protection. The massive hacking of health system data has not resulted in any new legislation to date or enforcement via established laws.

Informed Patient Institute
We rate the websites that help you find the right doctor, hospital, and nursing homes and we provide tips about quality concerns. also see

https://www.philly.com/philly/health/what-is-philly-health-costs-and-how-can-it-help-me-20180220.html

ProPublica analyzed nearly 17,000 surgeons and found wide variations in complication rates for some of the most routine elective procedures. Explore our database to know more about a surgeon before your operation.
https://www.propublica.org/article/surgeon-level-risk-quotes

2016 Consumer Reports Medical Board Ratings

Medicare Provider Utilization and Payment Data: Physician and Other Supplier

Digital business has become a key driver to business strategy across industries.
CIOs have digital transformation at the center of their corporate
strategy.  #Cybersecurity, amazingly, is often not a top-tier priority in enterprise risk management. The #CISO, is only noticed when things go wrong. This is why CISOs are almost always fired or “resign” after major data breaches. The CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.
https://venturebeat.com/2019/03/16/cisos-you-need-to-manage-by-walking-around/

Think a strong information security posture means you’re complying with HIPAA? Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.

Staff lapses and IT system vulnerabilities are key reasons behind SingHealth cyberattack, according to COI Report

ClassAction.org is a group of online professionals who are committed to exposing corporate wrongdoing and giving consumers the tools they need to fight back. We’ve been reporting on the legal space for nearly a decade and have built relationships with class action and mass tort attorneys across the country.

Prescription Hope
Prescription Hope offers over 1,500 brand-name medications all for the
set price of $50 per month for each medication. This covers 100% of the medication cost, no matter the retail price.

Market Share Matters: Evidence Of Insurer And Provider Bargaining Over Prices
Health-care providers and insurers have to agree on how much doctors will be reimbursed before doctors begin treating insurers’ clients. Those fees, which depend on the two parties’ relative clout. Abstract

A survey of the numbers, published this week in Health Affairs, shows that small-time doctor’s offices and insurance companies are getting squeezed by their larger competitors.
https://www.washingtonpost.com/news/wonk/wp/2017/01/09/its-hard-to-be-a-small-time-family-doctor-these-days-new-data-show/

Finally, U.S. hospitals will have to post their prices online.

Hospitals must post ‘chargemaster’ prices online.
Patient Estimate team call  484.337.1970
FAQ Requirements for Hospitals To Make Public a List of Their Standard Charges via the Internet
https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/AcuteInpatientPPS/Downloads/FAQs-Req-Hospital-Public-List-Standard-Charges.pdf
The chargemaster is not a useful tool for consumers who are comparison shopping between hospitals or health systems.
The chargemaster amounts are billed to an insurance company, Medicare, or Medicaid, and those insurers then apply their contracted rates to the services that are billed. In situations where a patient does not have insurance, our hospital has financial assistance policies that apply discounts to the amounts charged.
https://www.mainlinehealth.org/patient-services/patient-billing/standard-charges

A huge trove of medical records and prescriptions found exposed Thousands of health records and doctor’s notes were exposed daily
By Zack Whittaker TechCrunch.com March 17, 2019 A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password. The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies. But that fax server wasn’t properly secured, according to the security company that discovered the data. SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. The faxes also included personal data and health information on children. None of the data was encrypted. […] Board of Directors responsible

MOUNTAIN VIEW, CA

800 West El Camino Real, Suite 350
Mountain View, California 94040
General +1 650 458 2620
Sales +1 650 458 2625
in**@el*****.co
sa***@el*****.co

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel.

NY Governor Cuomo Calls For Investigation on Facebook Health Data Collection

American Travelers Seek Cheaper Prescription Drugs In Mexico And Beyond
In Utah last year, the Public Employee Health Plan took this idea to a new level with its voluntary Pharmacy Tourism Program. For certain PEHP members who use any of 13 costly prescription medications — including the popular arthritis drug Humira — the insurer will foot the bill to fly the patient and a companion to San Diego, then drive them to a hospital in Tijuana, Mexico, to pick up a 90-day supply of medicine.

TechCrunch: Screen time inhibits toddler development, study finds. “In news that will surprise few but still alarm many, a study has found that kids 2-5 years old who engage in more screen time received worse scores in developmental screening tests. The apparent explanation is simple: when a kid is in front of a screen, they’re not talking, walking or playing, the activities during which basic skills are cultivated

Researchers Create Algorithm to Protect Kids from Disturbing YouTube Videos

Computer program that could bypass patents to produce synthetic drugs Software that can bypass current intellectual property and design medication with the same function as top drugs could help pharma companies…

“Massachusetts Attorney General Maura Healey alleges eight Sackler family members and nine Purdue board members or executives played key roles in the nation’s deadly opioid epidemic.