Warner questions imaging provider on cyber practices after breach

Sen. Mark Warner is demanding answers about a healthcare company’s security practices after a breach potentially exposed the data of 1 million patients.

On Monday, Warner (D-Va.) vice chair of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, sent a letter to Andrei Soran, CEO at TridentUSA, asking for information on the medical imaging provider’s security practices and its compliance with HIPAA privacy and security rules.

Warner-Mark2-CROP
Senator Mark Warner, a Democrat from Virginia, speaks during a Senate Intelligence Committee hearing in Washington, D.C., U.S., on Tuesday, Jan. 29, 2019. North Korea is unlikely to give up its nuclear capabilities, the top U.S. intelligence official said, even as President Donald Trump expresses confidence he can persuade Kim Jong Un to disarm. Photographer: Aaron P. Bernstein/Bloomberg

One of the affiliates of Trident USA Health Services—Mobile XUSA, an imaging provider whose X-ray technicians and sonographers travel to more than 7,000 facilities across the nation—suffered a data exposure after an unprotected server online exposed patients’ protected health information.

On February 10, TridentUSA Health Services and its affiliated companies filed for Chapter 11 reorganization. The company’s senior lender provided $50 million to maintain operations without disruption. The organization in a letter to its partners said it expected to emerge from restructuring with a strong balance sheet and ability to invest in the business going forward, with no interruptions, reductions or changes in service, while also adding staff and technologies to improve services.

Warner’s letter states that, “It appears that information held by MobileXUSA was made accessible due to sloppy cybersecurity practices, as no software vulnerabilities were involved and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls.”

“However, it certainly is the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images and ensure the information is not publicly accessible,” Warner contended.

While TridentUSA Health Services may be the example that Warner held up as a vendor of poor cyber management, the company is far from being alone.

In his letter to TridentUSA’s Soran, Warner wrote, “According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems that have been freely accessible online with no authentication requirements to access or download the images. This left the scans of millions of Americans exposed on the Internet, not because of a breach but simply because they were stored on 187 unprotected picture archiving and communication servers, including yours. Additionally, according to the research, your server displayed the names of more than a million patients.”

Consequently, Warner asked Soran to answer seven questions concerning about the company’s cyber protection.

They included information on audits and monitoring tools, PAC server vulnerabilities, identity and access management controls, requirements for VPN or SSL to communicate with PACS, frequency of vulnerability scans and HIPAA-compliant audits, server encryption practices and whether the company has an internal security team or outsources security.

“It is critical that the privacy of the individual—including their personal health information—is appropriately protected,” Warner concluded, requesting a response by October 9.

TridentUSA Health Services issued the following statement in response to Warner's inquiry:

"We were recently informed by ProPublica of the existence of possible security vulnerabilities in our medical imaging system (DICOM PACS). As ProPublica noted, we took prompt action to mitigate these potential vulnerabilities. We also immediately began a comprehensive forensic investigation to determine whether any patient information was exposed; this investigation remains ongoing. We are deeply committed to the safety and security of patient information and we share Senator Warner's goal of addressing cybersecurity threats in healthcare. To that end, we look forward to responding to Senator Warner by October 9."

For reprint and licensing requests for this article, click here.