Millions of people’s medical records are stored on servers that make them accessible without so much as prompting for a password, according to a new report from ProPublica and the German broadcaster Bayerische Rundfunk.
Some of the records include patient names, Social Security numbers, procedures they’ve undergone, X-ray images, and doctors they’ve seen, according to the report. They were put online by tech providers, doctors’ offices, and imaging centers, many of which didn’t realize the data was online until approached by reporters.
Naturally, patient information is legally confidential, but according to the report, officials haven’t been strict about fining organizations that violate the Health Insurance Portability and Accountability Act, the major U.S. health privacy law. And medical device vendors and the practitioners that use them didn’t always take proper steps to lock down access when moving into the world of digital medical records.
There’s no evidence the online data was improperly accessed, according to the report, but many of the servers were largely wide open to anyone using a web browser or automated scraping tools.
If you’re wondering if your records are secure, you can try to talk to your doctor’s office or other providers, like imaging centers and labs, about how they store data online and whether a password is required to access your information. You can also ask them to verify they do regular security assessments as required by HIPAA, the report suggests.
But until the medical field and regulators get more serious about keeping digital records secure, there’s often little individual patients can really do to ensure their files are safe.