Hacker News new | past | comments | ask | show | jobs | submit login

From Techcrunch's article it looks like it's possible to see so-called "protected health information" (PHI) in these images. PHI includes patient names, diagnoses, hospital and doctor names, contact information, and so forth. It's sometimes possible to "de-identify" medical images by scrubbing off patient info. But I bet most of these are not de-identified.

The examples in the TechCrunch article are redacted, but I guess that was done for publication and not on the stored images themselves.

In the USA, HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI. It's a crime that "pierces the corporate veil." That is, natural persons can be tried and convicted, even if they were acting on behalf of corporations.

The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached. https://www.hhs.gov/hipaa/for-professionals/breach-notificat...

CMS announces breaches involving 500 or more patient records here https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

It wouldn't surprise me if the people involved in securing these sloppily configured DICOM servers are in a state of panic. I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah, we had some panic. (Misrouted fax messages was the root cause, for what it's worth.) Also observe that I remember to this day how many records leaked out. Breaches are a big deal. It stinks to be them. I know that for sure.

I hope they get it sorted out. It will take a while. It will also take a while for the affected medical professionals and their IT providers to start responding to these breach reports rationally. Kubler-Ross's stages of grieving are still in play for them: anger, denial, negotiation, etc.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact