Sensitive medical information belonging to thousands of military service members can be found online, according to Sen. Mark Warner, D-Va., who is calling on the Defense Department for its swift removal, along with an explanation.
Insecure data practices at three Army health facilities — Fort Belvoir Community Hospital in Virginia, Ireland Army Health Clinic, Fort Knox, Kentucky, and Womack Army Medical Center at Fort Bragg, North Carolina — have left personally identifiable medical information of military patients online, where anyone with the technological know-how can access X-ray, MRI or CT images can find, the senator said in a letter to the Defense Department Thursday.
According to Warner’s office, the three military health facilities have a collective 358 data sets online, covering roughly the past week of archived images. An average 75 data sets are added per day.
A web site used to verify military status was open to potential identity thieves and scammers, advocates charge.
“That means that over the span of a year, more than 27,000 data sets are being uploaded … if you look at it by person … the information of 9,000 service members is exposed each year, with the potential of being collected and used by malicious actors,” according to a statement from Warner’s office provided to Military Times.
In correspondence to Assistant Secretary for Health Affairs Thomas McCaffery, Warner said the problem was discovered by researchers at Greenbone Networks, a Germany-based security firm that identified medical record security problems in at least 52 countries last year.
According to the senator, the researchers accessed the images from their headquarters, with its German IP addresses. The issue is with the facilities’ Picture and Archiving Communications Systems, or PACS, which were not secured, Warner said.
Images, along with personal identification numbers, including DoD ID numbers, are visible on many of the files.
“This itself should have triggered alarms by the hospital information security systems,” Warner wrote. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actor and others.”
In a series of tweets Friday, Greenbone Chief Marketing Officer Dirk Schrader clarified that the data from the three hospitals were stored on one archiving system, which the company had not “established whether it is directly used by the U.S. Department of Defense or not.”
In an interview Monday, Defense Health Agency Chief Information Officer Patrick Flanders denied the system containing the data was Pentagon-owned. He said the images either were located on commercial servers belonging to companies doing business with DoD or were available because patients took their images to private practices, where they became compromised.
“Here’s the truth: No government networks, systems or servers were breached by Greenbone Networks’ ethical hackers,” Flanders said. “Instead, commercial servers is where they got this data.”
Last year, an investigation by ProPublica and the German broadcasting organization Bayerischer Rundfunk uncovered millions of Americans’ medical images on 187 unprotected servers across the United States.
According to Flanders, the imagery availability on unsecured commercial servers is a “national problem.”
“What’s happened is DoD has either shared its data with a commercial entity that failed to follow security procedures or individual patients have gone to hospitals and gotten their record … when you are referred to private practice … you go get it, and it’s uploaded into the commercial world and it’s susceptible,” Flanders said.
Warner is co-chair of the Senate Cybersecurity Caucus. After ProPublica released its report, he pressed private companies as well as the Department of Health and Human Services to remove or secure more than 31 million images and 1.5 million exam records from cyber-snooping.
In his letter, Warner asked McCaffrey to “remediate the situation immediately” and respond to questions regarding the information security management practices at all military medical facilities — practices considered crucial as the Defense Health Agency continues to roll out its Defense Department-wide electronic medical records system, MHS Genesis.
He asked McCaffery to explain how the department plans to fix the problem and explain the practices the military medical hospitals use to secure networks and log, monitor, transfer and access files.
Flanders said to address the problem, he plans to determine which commercial entities were responsible. “I have the IP addresses that the Greenbone folks got their data from and now I’m trying to assess which American companies are those … I can’t use my cyber resources to pick over commercial company stuff. That’s going to be a law enforcement thing.”
The three medical facilities named in the letter serve active duty personnel, family members, retirees and some veterans.
Warner asked McCaffery to provide answers within two weeks.