Millions of Americans' Health Records Are Just Sitting Online for Anyone to See

Like all other personal information, patients' health care data is turning into a commodity. The dating app Grindr, for example, drew intense criticism last year when it came out it was providing its users' HIV statuses to third party companies. In addition to companies harvesting users' information for profit, medical data is also a target for hackers. And while the total number of data breaches reported to the Department of Health and Human Services only slightly increased between 2017 and 2018, from 477 to 503, the number of patients affected skyrocketed from 5.6 million to 15 million. The data is valuable for identity theft and falsifying records, and CBS News reported earlier this year on a man whose medical records were stolen so that someone could impersonate him and, ironically, rack up $20,000 in new medical bills.

But it doesn't take a hacker's skills to get a hold of medical records. It doesn't take anything more than a regular Internet browser. A new investigation by ProPublica found that 187 servers in the U.S. had sensitive medical records—including X-rays, MRIs, and CT scans—just sitting in the open, often available with little more than a simple search. All told, this accounted for records on more than 5 million patients in the U.S., and often included their names, birth dates, the dates of care, and in some cases even their social security numbers. Globally, ProPublica found more than 16 million records.

Many of the companies that ProPublica investigated updated their security once they were alerted that their records were exposed, and it's likely that some of the exposures were a result of transferring from physical records to digital ones. But there were other weaknesses in the security of American health care providers. Per ProPublica:

Experts say it’s hard to pinpoint who’s to blame for the failure to protect the privacy of medical images. Under U.S. law, health care providers and their business associates are legally accountable for securing the privacy of patient data. Several experts said such exposure of patient data could violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure.

"Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people," Cooper Quintin of the Electronic Frontier, a digital rights organization, told ProPublica. He added, "This is so utterly irresponsible."

Late last month, around 400 dentist offices across the country were hacked by a single malware attack, exposing patient records. The CEO of one security company told KMOX, "They had been using some free, third-party software that unfortunately was vulnerable, and that created the cascading effect that basically encrypted the data for over 400 clinics," and suggested that patients make sure to ask how and where their medical providers store patient data. Meaning that along with everything else about their medical care—that their visits aren't somehow outside of their insurance coverage, they aren't being charged for unnecessary procedures, their doctor hasn't been repeatedly fired for gross negligence—it's now also up to patients to make sure that medical providers aren't leaving their X-rays available to a basic Google search.


Tom Holland was first cast as Spider-Man at 18 and now, at only 23, is among the brightest stars in the entire superhero universe—not to mention one of the highest-grossing actors of 2019. So why's he hiding out on a golf course with Zach Baron?

Originally Appeared on GQ