The publication identified at least 187 medical servers across the US that weren't protected by a password, let alone other modern cybersecurity measures. Moreover, many of those same servers were running outdated software, making them vulnerable to a variety of known exploits. In all, ProPublica estimates that some 13.7 million medical tests and 400,000 x-rays for patients in the US could be easily accessed by malicious individuals. "It's not even hacking. It's walking into an open door," cybersecurity researcher Jackie Singh said to ProPublica.
In some instances, the data included not only the name and birthday of the patient but their social security number as well. ProPublica didn't find evidence that the records were accessed and copied elsewhere, but the number of vulnerable servers highlights a glaring oversight by the medical industry.
As the publication notes, the oversight likely represents a breach of the federal government's Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996, the act governs the handling of sensitive data. One issue is that the act doesn't provide much guidance on how the industry is supposed to protect data it stores on computers. Some of the clinics ProPublica contacted about their servers tightened their security after the fact, but it'll likely be a while before most servers are properly protected.