German Researchers Accessed Service Members’ Sensitive Medical Data—and One Lawmaker Wants Answers

A Democratic lawmaker wants answers and actions taken to address unsecured servers at three military medical facilities that he said are putting service members’ personal information at risk.

Sen. Mark Warner, D-Va., penned a letter to the Defense Health Agency Thursday pressing it to eliminate the exposure of sensitive medical data belonging to military personnel that he said remains vulnerable due to risky practices at Fort Belvoir Medical Center, Ireland Army Health Clinic and the Womack Army Medical Center.

“The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others,” Warner wrote.

DICOM is the standard format for medical images, and Warner—who co-chairs the bipartisan Senate Cybersecurity Caucus—recently learned that anyone with a DICOM web viewer can access service members’ personally identifiable and sensitive medical information from the three entities, due to unsecured Picture and Archiving Servers, or PACs. Last September, Warner wrote to health care entities that controlled the PACs after a comprehensive investigation detailed how the servers were leaving millions of Americans’ medical images up for grabs on the internet without their consent. 

Following the first letter, the images were removed—but Warner said records belonging to 6 million Americans were still accessible online. In November, the lawmaker wrote to the Health and Human Services Department’s Office of Civil Rights about the information that remained exposed. Since then, the senator said 16 systems, 31 million images and 1.5 million exam records were removed from the internet.

“However, I recently learned that a significant number of medical records belonging to servicemembers remain online,” Warner wrote in the latest correspondence. That information, he noted, was discovered by German researchers who accessed the information using German IP addresses. 

“This itself should have triggered alarms by the hospital information security systems,” he wrote. 

In Thursday’s letter, the lawmaker presses the agency to remove the vulnerable PACs from open access to the internet and immediately mitigate the security issues. To understand the severity of exposure, Warner also asks officials to answer a series of questions regarding information security management practices at military medical hospitals. He asks whether full-disk encryption and authentication for PACs are required by the agency and whether hospitals are directed to hire chief information security officers, among other questions. Warner also added that he expects a response within two weeks due to the issue’s gravity. 

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” he wrote.