Senator criticizes HHS for not investigating exposure of millions of medical images

Senator criticizes HHS for not investigating exposure of millions of medical images
© Greg Nash

Sen. Mark WarnerMark Robert Warner'Almost Heaven, West Virginia' — Joe Manchin and a 50-50 Senate Confirmation hearing for Biden's DNI pick postponed The Hill's Morning Report - Trump impeached again; now what? MORE (D-Va.) on Friday criticized the Department of Health and Human Services (HHS) for not taking action after a September report revealed the exposure of the medical images and sensitive health data of millions of Americans.

Warner wrote in a letter to Roger Severino, the director of HHS’s Office for Civil Rights, that “a long overdue focus on data privacy and information security has come into sharper focus” as the health care sector increasingly utilizes information technology, and criticized the agency for not taking action in response to one specific incident earlier this year. 

The Democrat pointed to a ProPublica report published in September that found that medical images and other health data of more than 5 million Americans were unprotected online, and could be viewed easily by anyone with a web browser or free software program.


Warner noted that the images were stored on unsecured picture and archiving communications servers, or PACS, and included more than 100 million medical images, more than 22 million patient records and 400,000 Social Security numbers.

Warner, who serves as the top Democrat on the Senate Intelligence Committee, wrote that he was “alarmed” that HHS had not taken action to secure the images and data in the wake of the ProPublica report, citing HHS’s “responsibility to protect the sensitive personal medical information of the American people.”

The senator also warned that the images pose a security risk to medical organizations, with Warner writing that “in their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.”

Warner noted that despite both the U.S. Computer Emergency Readiness Team and HHS being made aware of these vulnerabilities by the German researchers who initially discovered them prior to the ProPublica report, no action has been taken. Warner described this as “an enormous oversight” on the part of HHS.

“The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private,” Warner wrote.

The senator asked that Severino respond to questions around the exposure of the images and data, and the reasons that HHS has not taken action to mitigate the security issues, by Nov. 18.

Severino responded to Warner's concerns, telling The Hill in a statement that “our commitment to patient privacy remains steadfast." 

Warner previously wrote in September to TridentUSA Health Services, a group that owns one of the PACS that is vulnerable, asking questions around the exposed images and data. Warner noted in his letter on Friday that TridentUSA Health Services completed a successful HHS security audit prior to the exposure being reported.

Severino noted that HHS is "troubled" by the potential "violations" of the security audit, and said HHS would "investigate them thoroughly."

-Updated at 9 p.m. to include a response from HHS