Unsecured Medical Images Are an Underrated Threat to Patients
This story was written in partnership with TechCrunch.
You’re probably familiar with the heart-stopping jolt you get when a text or call from your bank flags suspicious charges. Identity fraud, credit card siphoning and stolen passwords to access your bank account always seem to be top of mind, but what about your medical records or images from your X-rays, MRIs or CT scans?
The impact of compromised medical data is life-altering — worse than having your financial information stolen — and in some cases, even life-threatening. Here’s why it matters your X-rays and other exam images are floating around unprotected on the internet and what you can do to protect your data and health.
What We Know About Medical Image Security
ProPublica reported in September that images from more than 24 million medical exams were left unprotected on the internet. Unlike a hack or intentional security breach, these medical images — which often include name, date of birth and sometimes social security number — lacked basic digital security protection. Any internet user could easily access the images if they know where to look without even a password.
TechCrunch security editor Zack Whittaker explained that since September, the problem has gotten worse, not better. More than 1 billion scan images from over 35 million patient exams are now exposed on the internet worldwide. TechCrunch and security firm Greenbone Networks made multiple attempts to alert the imaging centers exposing the most patient data to tighten security. So far, they haven’t gotten much response, leaving millions of unsuspecting patients vulnerable to medical identity theft and insurance fraud.
“Health insurance fraud is the 800-pound elephant in the living room. Health schemes dwarf all other insurance scams by several degrees magnitude,” James Quiggle, director of communications at Coalition Against Insurance Fraud told The Mighty. “It’s doubly worrisome when average recreational computer users can sit up in their bedroom and step right into databases as well.”
Why You Should Care About Health Data Security
After ProPublica published the results of its investigation, a small contingent of health data advocates demanded the government step in to enforce better security protocols. But the general public still has their eyes on financial identity theft as the bigger threat — one survey found nearly 70% of people were very concerned about their financial data. Only 49% expressed significant concern about their personal health information.
However, when your health-related information is used by someone else to obtain medical treatment, file false claims or enact other fraudulent schemes, it can have a much bigger impact than stolen financial data. Not only are digital medical records less secure, but there are many ways to profit off your health data, which leaves you with a big and sometimes life-threatening mess.
Here’s how:
1. Medical Record Errors
Errors in your medical record constitutes one of the biggest dangers of medical identity theft. This could mean a diagnosis you don’t have, medication you’re allergic to, the wrong blood type or treatments you never actually get make it into your permanent health care file. If incorrect information in your medical record is transferred from doctor to doctor, you may end up in a situation where you’re treated with something that’s harmful.
“You could be allergic to treatments that end up on your record,” Quiggle explained. “Then you’re wheeled into the emergency room on a gurney unconscious, and they give you that medicine, as it is a necessary treatment, and you’re allergic. The results could be catastrophic to your health and even life. That’s a big problem.”
A 2013 Ponemon Institute study found 15% of medical identity theft victims were misdiagnosed, 14% experienced a delay in getting treatment, 13% got the wrong treatment and 11% were given the wrong drugs due to errors that made it to their record. You could also fail a physical job exam because a medical condition you don’t have ends up in your medical record.
2. Health-Related Discrimination
If your medical information is stolen, it puts you at greater risk of discrimination, especially at work. In a 2015 Ponemon Institute study, 45% of people surveyed said unauthorized disclosure of their health information affected their reputation.
Mighty community member Sophie E. explained how prejudice against people with mental illness had a real-world impact on her job after a boss found out about her mental health condition (though not as a result of medical identity theft).
“A post of mine about mental illness went viral (36,000 shares, featured on The Mighty and several national newspapers),” Sophie said, adding:
But a lot of people went onto my profile and saw I worked as a children’s entertainer and contacted my work and told them they didn’t want someone like me near their kids. I was fired. [My boss] told me she couldn’t have someone like me near kids in case I thought one turned into a monster and I killed them. I have schizoaffective disorder, and I can assure you I would never work if I was not feeling well.
3. Loss of Your Health Insurance
Thieves may compromise your health insurance benefits by using them for personal medical treatment, to file false insurance claims that pay the criminal, or to get equipment or drugs to resell for a profit.
When an imposter fraudulently uses your health insurance, your legitimate claims may be denied. The company may flag or cancel your policy because of a suspicious number of claims or another person’s information on your record.
A cybercriminal can also max out your health insurance benefits, depending on your policy. Or, as a result of the fraud, you may be denied health or life insurance in the future.
4. Adding to Your Medical Debt
Medical identity theft can leave you with big bills for procedures, treatment and equipment you never asked for or received.
For example, your stolen identity may be used so an imposter can receive medical care. When the hospital sends the bill for out-of-pocket costs not covered by insurance, those charges end up on your record.
In some cases, you may not even know about the medical debt incurred until it’s sent to collections or it shows up as a mark against your credit when you apply for a loan. Health-related scams are notoriously difficult to uncover.
5. Legal Trouble from Prescription Drug Fraud
Stolen medical identities can also be used to get prescription drugs that can be sold for a profit on the street. People who take opioids, ADHD drugs like Adderall or Ritalin, and benzodiazepines may be particularly enticing targets for criminals looking to turn an easy profit.
“Pre-existing conditions and prescription records can be sneakily useful for very specific cases of fraud,” Ted Chan, founder and CEO of CareDash.com, a health care provider review website, told The Mighty. “If you’re being prescribed a controlled substance, that’s useful information for someone who’s trying to obtain legal prescriptions for controlled substances and resell opioids or, like the case somebody contacted us about, Ritalin.”
6. Gateway to Other Types of Identity Theft
Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web. In addition, criminals get more bang for their buck out of your health data, because it can be used for a variety of purposes.
The more a cybercriminal knows about you, the more damage they can do beyond health-related fraud and scams. Chan said medical data often includes in-depth answers to questions that can be used to get into your financial information as well, like your place of birth, maiden name or mother’s maiden name.
7. The Cost of Correcting Medical Identity Theft
When your credit card information, a call to your bank may be the only action you need to take. If you’re the victim of medical identity theft, the time and cost to correct your record, from your medical history to credit rating, is astronomical.
More than half of victims will spend an average of $13,500 to sort out the damage from medical identity theft, which often requires hiring a lawyer. From correcting your medical record to sorting out fraudulent debt and insurance claims, victims report they spent an average of 200 hours trying to fix their records. And after all that, only 10% said they reached a satisfactory conclusion.
What’s the Big Deal With Medical Images?
Medical images, aside from often including at least your name and date of birth, can be useful for cybercriminals to build a convincing health profile of a real person that can be used to file false claims. According to Coalition Against Insurance Fraud’s Quiggle, the more evidence an identity thief has, the better they can game the system.
“The crooks will use the medical information to construct a convincing malady, maybe it’s a chronic illness or disease or condition that just happens to flare up,” Quiggle said, adding:
They have the victim’s policy information and insurance company so they create this really convincing claim with detailed medical documentation in the unknowing victim’s name. The insurance company may pay out thousands of dollars to the crooks.
What’s more, the 1 billion unsecured scan images can be edited to change the diagnosis present on a scan. If that sounds unlikely or far-fetched, it’s not. Cybersecurity researcher Yisroel Mirsky, Ph.D., and his team showed in a 2019 paper how scan images can be downloaded, edited to add or remove evidence of a medical condition, and then reuploaded. Mirsky’s team was able to fool three radiologists with edited images.
A savvy cybercriminal could, for example, manipulate your scan images to show a tumor and fraudulently bill your insurance company for cancer that you don’t have. With the addition of a scan that looks legitimate, the fraud is even more difficult to detect.
Mirsky hopes his research showing how vulnerable medical device data is to manipulation “provides motivation for improving the security of healthcare records, if not from the industry, then perhaps from the public since they will voice their concerns.” Right now, the providers in charge of your medical images aren’t doing enough to secure your data.
Why Aren’t Providers Doing More to Protect Your Data?
Health care organizations consistently rank near the bottom in multi-industry studies on digital security. Allowing your health information to float freely around the internet is an obvious violation of Health Insurance Portability and Accountability Act (HIPAA), the law requiring health care professionals to “ensure the confidentiality and security of protected health information.” However, a legal duty to protect your information isn’t enough for many providers to close their security gaps.
Karen S. Schechter, director and assistant professor in the online health care management and health administration programs at Maryville University, told The Mighty many health care providers can’t keep up with the expansion of electronic health records and other technologies. Addressing these digital security issues can be costly, cumbersome and complicated to address despite known risks, and it’s not the sole responsibility of the device makers.
“Larger healthcare organizations are constantly working on building secure technology infrastructures to safeguard medical data internally and externally,” Schechter said. “Smaller organizations and individual providers, while also at risk, have a more difficult time implementing security measures due to lack of resources.”
When a doctor or radiology office doesn’t take steps to protect patient data online, which they are mandated to do by HIPAA, they open themselves up to fines from the U.S. Health and Human Services’ Office of Civil Rights. The impact of data security issues on patient welfare — and a doctor’s ability to provide treatment — goes further.
A lack of trust in a provider’s ability to keep data confidential also means patients are less willing to disclose pertinent health information during appointments. When patients find out their data is exposed, they express anger that providers aren’t following the HIPAA laws designed to protect them from harm. It erodes the doctor-patient relationship and leaves patients feeling unsafe.
Elizabeth Lauderdale went to her local emergency room in Florida in mid-December. “I was in pain, I thought I had a kidney infection,” she told TechCrunch. “Some tests came back but they wanted to do a CAT scan to see if something else was going on.” But the radiology provider that services the emergency room and other medical offices across the state exposed her scans — including her name, date-of-birth and diagnostic data — along with thousands of others.
“It’s scary,” she said. “It’s very uncomfortable.”
How to Protect Yourself Against Medical Identity Theft
The threat of medical identity theft is real and may sound terrifying, but there are several steps you can take to help safeguard your health information. Reduce your risk of becoming a victim of medical identity theft by starting with these six extra security precautions:
1. Ask your provider about data security.
Don’t be afraid to ask your doctors and other health providers about their digital security measures, and push back if they can’t answer or aren’t doing enough to protect your data. “If you are scheduled to have a radiology exam soon, better ask your clinic whether they take care about your data,” a Greenbone expert told TechCrunch.
The Federal Trade Commission publishes a guide outlining the security responsibilities of your doctor. And get specific if you have to — TechCrunch provides additional tech details about security expectations that can help guide your conversation with your providers.
2. Read all your explanations of benefits.
It takes the average medical theft victim at least three months to realize their data was compromised. Often, that’s thanks to noticing errors in the explanation of benefits your insurance company sends for each claim filed in your name.
“It’s tempting to set them aside and just assume the right but if you look closely, you may have seen large claims that happened while you were on vacation in the Bahamas,” Quiggle said. Read all of your statements and keep an eye out for suspicious bills for treatment, medication or equipment you didn’t request or receive.
3. Check your credit regularly.
“One of the first signs that your medical ID has been stolen is a sudden drop in your credit,” Quiggle said. Keep a close eye on your credit, which is good advice to guard against any type of identity theft. Services such as Credit Karma let you check your scores and monitor for unexpected changes for free.
4. Correct your medical records.
If you do notice any errors on your medical record, work to get those corrected. This can be a labor-intensive process because you will have to collect your records from multiple places, including your doctors, hospitals you’ve visited, the pharmacy, labs and your insurance company.
For any errors, request a correction and appeal if you’re refused. The Allergy and Asthma Foundation of America provides a guide on collecting your medical records that’s a useful place to start.
5. Don’t send medical information via email.
Stay mindful of how you are sharing your personal information with providers. Quiggle advised that emailing digital medical records is never secure. If a provider requests sensitive information via email, know you can request another way to provide the information, like in-person when you arrive at the office. If you do provide medical information digitally, make sure it’s only through a provider’s secure portal.
6. Be careful what you post on social media.
Social media platforms can be a great place to give and get support from other people who understand what you’re going through with your health journal. But Quiggle said you want to exercise caution about how much detail you share since cybercriminals may troll your profiles to add more information to their file about you.
“Details help them make claims more realistic and more likely to go right to the system and get paid,” he said.
More than 1 billion medical images are floating around on the internet, which are like gold to criminals who wreak havoc on your health and well-being for their financial or personal gain. It’s important to take the threat of medical identity theft seriously, even if at first it doesn’t seem like your X-ray or CT scan images are worth anything.
“We need, as consumers, to understand that [medical identity theft] is a direct, immediate threat,” Quiggle said. “We can’t afford to take the well-being of our medical records for granted. Each one of us needs to approach medical ID theft with far more urgency because the personal price we pay for a hack of our identifiers is beyond anything we realize until it hits us smack between the eyes.”
Header image via Natali_Mis/Getty Images
Renée Fabian was the features editor at The Mighty. She has also written for The Washington Post, VICE, Healthline, Talkspace, The Fix, The Establishment, The Culture Trip, and GRAMMY.com, among others. Renée was named a 2019 AHCJ Comparative Effectiveness Research fellow, a 2020 USC Center for Health Journalism California fellow, and holds a master's degree in journalism from the University of Southern California and a master's degree in psychology from Antioch University Los Angeles. You can follow her on Twitter @ryfabian.
reneeyfabian