Armed Forces News

The problem became public last September, when a report identified millions of U.S. citizens' medical records that were available online and have since largely been removed.

A key lawmaker wants the chief of military health to explain why the medical records of “a significant number of service members” are online and available to anyone with enough tech savvy to look for them.

“The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors and others,” Sen. Mark Warner, D-Va., stated in a Jan. 16 letter to Assistant Secretary of Defense for Health Affairs Thomas McCaffrey.

ADVERTISEMENT


In the letter, Warner referred to “identifiable and sensitive medical information” from picture and archiving servers at Fort Belvoir (Va.) Medical Center, Womack Army Medical Center (at Fort Bragg, N.C.), and Ireland Army Health Clinic at Fort Knox, Ky. The information, Warner wrote, is “available online for anyone with a DICOM [Digital Imaging and Communications in Medicine] viewer to find.”

The problem became public last September, when a report identified millions of U.S. citizens’ medical records that were available online and have since largely been removed.

Warner wrote the letter to McCaffrey after learning that a German research firm discovered “a significant number of medical records belonging to service members” were still sitting on the internet.

He told McCaffrey in the letter that the records’ presence should have been identified by health officials, and triggered an alarm.

The senator asked McCaffrey to “immediately remediate the situation,” and:

* Describe how military hospitals handle information security management.
* Audit and monitor logs.
* Require full-disc encryption and authorization for picture and archiving servers.
* Tell him if each military hospital has a chief information security officer.
* Describe how the record breach is being handled, and say if the records have been removed from the internet.