Senator Demands Answers About Exposed Medical Imaging DataTridentUSA Allegedly Exposed Data on More than 1 Million Patients
Sen. Mark Warner, D-Va., is demanding answers from TridentUSA Health Services about its data security practices following the recent discovery that it exposed more than 1 million patient files on the internet due to an unsecured server.
Meanwhile, the U.S. Department of Justice on Thursday announced that the company had agreed to pay $8.5 million to settle two whistleblower lawsuits alleging False Claims Act violations involving a kickback scheme.
Warner's letter to TridentUSA CEO Andrei Soran, was in response to a joint investigation by news media site ProPublica and German broadcaster Bayerischer Rundfunk, which recently reported finding millions of patient medical imaging records exposed on the internet, including those of MobilexUSA, a TridentUSA affiliated company.
The media sites reported they found 187 servers in the U.S. - including a MobilexUSA server - left "unprotected by passwords or basic security precautions." In total, the exposed records included medical images and health data - including X-rays, MRIs and CT scans - belonging to about 5 million Americans - plus "millions more around the world," the report says.
Of those, the names of more than 1 million patients were accessible on the unsecured MobilexUSA server "all by typing in a simple data query," ProPublica reported. "Their dates of birth, doctors and procedures were also included," the report says.
The ProPublica report identifies only one other medical imaging company - Denver-based Offsite Image - as among those exposing data. That firm left exposed the names and other details of more than 340,000 human and veterinary records, the report says. Offsite Image did not immediately respond to an ISMG request for comment on the allegations.
In his letter to Sparks Glenco, Maryland-based TridentUSA, Warner, co-founder of the Senate Cybersecurity Caucus, writes: "My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the healthcare space for a long time. It appears the information held by MobilexUSA was made accessible due to sloppy cybersecurity practices - no vulnerabilities were involved, no explicit hacking required."
The letter continues: "While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears the responsibility of securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images and to ensure the information is not publicly accessible."
Warner asks TridentUSA to provide answers by Oct. 9 to several questions about its data security practices, including:
- What audit and monitoring tools did the company use to analyze the data to remain HIPAA compliant?
- Does the company require other systems in a network of IP-enabled devices to comply with current standards and use access management controls?
- What are the company's identity and access management controls for IP-addresses and/or port filters?
- Does the company require VPN or SSL to communicate with its picture archiving and communication systems?
- What is the frequency of the company's vulnerability scans and HIPAA compliance audits?
- What are the company's server encryption practices?
- Does the company have an internal security team or does it outsource it?
Duty to Protect
"Companies tasked with handling Americans' medical data have a moral and legal responsibility to protect patient privacy," Warner says in a statement provided to Information Security Media Group.
"While all personally identifiable information is sensitive, medical data such as a patient's name, date of birth, medical history, or medical imaging records are especially delicate, since they can't be changed like a phone number or password. Therefore, medical companies who handle this kind of information owe it to their patients to ensure that their data is safeguarded."
Warner's office tells ISMG that as of Friday, the Senator had not yet received a response or acknowledgement from TridentUSA about the letter, which he sent on Sept. 23. If the senator does not get a response by Oct. 9, Warner's office says, he might write a follow-up letter or reach out to the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
Neither TridentUSA nor its affiliated firm MobilexUSA immediately responded to ISMG's request for comment.
Ensuring the security of medical imaging systems and related patient data has been an ongoing challenge for the healthcare sector.
In a report issued earlier this year, researchers at security firm Cylera Labs found weaknesses in the DICOM image file format that, if exploited, could enable malware to infect patient data by directly inserting itself into medical imaging files (see: Researchers: Malware Can Be Hidden in Medical Images).
Also, security researchers at Digital Shadows' Photon Research Team issued a report earlier this year after finding 2.3 billion files inadvertently exposed across the web worldwide, including some 4.7 million healthcare-related records that were predominantly medical imaging files.
"The healthcare industry has been very late in detecting and mitigating threats and vulnerabilities to medical devices and diagnostic imaging systems that connect to the internet," says privacy attorney David Holtzman of the security consultancy CynergisTek. "It has been widely known that picture archiving and communication systems are riddled with vulnerabilities that will allow for unauthorized access to the information."
Federal regulators are also well aware of the medical imaging security challenges. The National Institute of Standards and Technology on Sept. 16 issued new draft guidance to help healthcare organizations improve the security of their PACS.
Medical device security is an industrywide challenge, says former healthcare CIO David Finn, executive vice president at CynergisTek.
"There is no easy fix for providers, device makers, the DICOM standards group or anti-virus makers to address the risks to PACS and similar imaging systems," he says."This will take everyone working together. It won't be resolved tomorrow with a new patch from or a revision to the DICOM standard - although I would hope to see both."
The Justice Department says two former TridentUSA employees - Ravi Srivastava, the CIO, and Peter Goldman, a regional sales manager - filed whistleblower lawsuits in 2016. The lawsuits alleged that the company was engaged in a kickback scheme with skilled nursing facilities where it provided mobile medical imaging services to Medicare and Medicaid patients.
The multi-million dollar settlement of the lawsuits was reached despite TridentUSA on Feb. 10 filing for Chapter 11 bankruptcy protection, seeking "to extinguish the government's ability to collect any damages or penalties from Trident" in the case, according to the Justice Department.