Medical images and sensitive personal data belonging to to U.S. service members are no longer easily accessible online, according to officials who sought to determine how it was available in the first place.
According to Sen. Mark Warner, D-Va., and co-chair of the Senate Cybersecurity Caucus, the internet service provider that carried the images no longer appears to be operating. Warner said Friday that researchers working on the issue could no longer access the information.
"It’s certainly a relief to know that sensitive medical records belonging to men and women in our armed forces are no longer an open target on the internet,” Warner said in a statement provided to Military Times.
Until late last week, personally identifiable medical imagery from three Army health facilities — Fort Belvoir Community Hospital in Virginia, Ireland Army Health Clinic, Fort Knox, Kentucky, and Womack Army Medical Center at Fort Bragg, North Carolina — could be found online by anyone with the know-how to snoop and a special viewer to see the images.
The departments of Defense and Veterans Affairs are eyeing the end of the summer for significant advances in their efforts for a new, joint electronic health record, a move that both bureaucracies have made the long-term centerpiece of medical reforms for their patients.
After finding the loophole, Warner wrote to Assistant Secretary for Health Affairs Thomas McCaffery Jan. 16 saying a German security firm had identified issues with the facilities’ Picture and Archiving Communications Systems, leaving 358 data sets vulnerable to hacking.
The data from the three facilities were stored on one archiving system, according to the chief marketing officer for Greenbone Networks, the German company that found the loophole. CMO Dirk Schrader said Greenbone did not establish "whether the [archiving system] was directly used by the U.S. Department of Defense or not.”
But in an interview last week, Defense Health Agency Chief Information Officer Patrick Flanders said the system holding the data was not owned by the Pentagon. According to Flanders, the images either were on commercial servers belonging to companies that do business with DoD or were available because patients took their images to private practices, where they were compromised.
According to new Defense Health Agency Director Army Lt. Gen. Ronald Place, planned changes to the military health system will improve the patient experience.
“Here’s the truth: No government networks, systems or servers were breached by Greenbone Networks’ ethical hackers,” Flanders said. “Instead, commercial servers is where they got this data.”
Last year, an investigation by ProPublica and the German broadcasting organization Bayerischer Rundfunk uncovered millions of Americans’ medical images on 187 unprotected servers across the United States.
Warner said the exposure of military records as well as millions of others “should never have happened in the first place.”
“We must do all we can to proactively safeguard the personally identifiable information of our service members, who are particularly vulnerable to targeting by malicious actors. I also remain deeply concerned by this administration’s failure to do something about the overwhelming amount of medical records that to this day remain exposed by private health organizations,” the senator said.
The Defense Health Agency is trying to determine which company or companies were responsible, according to Flanders, who added that he planned to work with law enforcement to investigate the matter.