 |
Patient Protect |
|
HIPAA Pulse |
|
HIPAA PULSE
May 13, 2026 · Bi-Weekly Briefing
|
|
Imaging Servers Wide Open, Vendors Going Quiet & What Q2 Already Confirms
|
Thousands of medical imaging servers are sitting on the public internet right now with no authentication. If your practice has an X-ray, one of them might be yours.
Two weeks ago we published the inaugural Q1 2026 State of Compliance report — 207 breaches, 15.9M affected, 67.6% of all impact from just four upstream vendor incidents. The headline finding was that healthcare risk is concentrating at a small number of vendors and a small number of structural failure modes. Q2 has not changed that picture. If anything, the last 14 days have made it sharper.
This issue covers what's actually moved since April 29 — including a Trend Micro finding that crosses every line of the Q1 thesis. Sector-wide misconfiguration. Hundreds of affected entities. No exploitation required. The data was just there.
|
|
Stat of the Issue
Zero
authentication required to retrieve patient imaging data from thousands of DICOM servers identified in Trend Micro's analysis published May 11. No phishing. No malware. No credential theft. Anyone with a network scanner can pull the records.
|
|
Risk Barometer · What Moved Since April 29
|
Breaches Filed
35
HHS OCR + State AG, this window
|
Individuals Affected
2.1M
fresh disclosures, this window
|
|
Top Breach Type
Hacking /
IT Incident
71% of window — Q1 pattern holding
|
Largest Fresh Filing
OpenLoop
716K
HHS OCR, May 11 — telehealth network
|
|
|
Breach of Note
Exposed DICOM Imaging Servers
Trend Micro analysis · Sector-wide misconfiguration · Hundreds of entities
DICOM — Digital Imaging and Communications in Medicine — is the standard protocol that runs on essentially every X-ray, MRI, CT, ultrasound, and dental imaging system in the country. The format stores image data and patient demographics in the same file: name, date of birth, study date, ordering physician, facility identifier. Exposure of a DICOM server is direct exposure of PHI.
Trend Micro's analysis identified thousands of servers reachable from the open internet across hundreds of healthcare organizations. Most lacked authentication entirely — a network scanner could retrieve patient records without compromising a single credential, sending a phishing email, or exploiting any vulnerability. The data was effectively published.
This is the Q1 concentration thesis playing out in imaging. Equipment vendors and radiology service companies typically install and configure these systems — not the practice's IT staff — and the systems are often outside the scope of the practice's HIPAA risk analysis. The vendor configures it once. Nobody touches it again. Years later, it's on the open internet.
Three questions for your practice: Who installed your imaging equipment? Who manages its network configuration today? When was the last time anyone confirmed it isn't reachable from outside your firewall? If you can't answer those, the free HIPAA Risk Assessment scopes imaging infrastructure as part of the analysis — under 30 minutes, no account required. Run it now →
|
|
Three Signals From the Past Two Weeks
Configuration Has Become the New Attack Surface
The DICOM finding follows a 2025–2026 pattern: more healthcare data is being exposed through misconfiguration than through active intrusion. The Washington Post reported on May 4 that a CMS-built Medicare provider directory exposed health-provider Social Security numbers in a backend database — not from an attack, but because a backend was reachable that shouldn't have been. The threat actor no longer needs to break in. They need to find the door someone forgot to close.
Vendor Stonewalling Is Now a Distinct Regulatory Trigger
On May 6, Missouri's Department of Commerce and Insurance escalated its investigation into Conduent Business Services after the national insurance-processing vendor allegedly failed to cooperate with regulators following a breach potentially affecting millions of consumers. State regulators are signaling that BAA cooperation requirements need to be enforceable, with sustained cooperation through the investigation as the actual obligation. If your vendor BAA does not explicitly require post-breach forensic cooperation with regulators, it needs to be updated.
CISA Treats Nation-State Threats as a Planning Baseline
On May 7, CISA issued guidance urging critical-infrastructure operators — healthcare explicitly named — to invest in isolation and recovery capabilities for nation-state cyberattacks. The framing treats nation-state involvement as a planning baseline rather than an outlier scenario. For independent practices, "isolation and recovery" translates to one discipline: offline, tested backups. If you cannot restore from cold storage today, your operational continuity is theoretical.
|
|
30-Minute System Check · Q2-Relevant
Each item below maps directly to a story in this issue. Pulling one item off this list this week is more useful than reading three more newsletters.
1 |
Inventory every imaging device that has a network port. X-ray, MRI, CT, ultrasound, dental panoramic, any modality that produces a DICOM file. For each one, document: who installed it, who manages its network configuration, and whether it can be reached from outside your firewall. If you do not know the answer to the third question, that's the answer. |
|
2 |
Run an external scan against your own public IP. Use Shodan or ShieldsUP or commission a one-time external assessment. You want to see what an attacker sees. If anything other than your website and an MX record shows up, that's a finding. |
|
3 |
Add regulatory cooperation language to vendor BAAs. Following the Conduent escalation, every BAA your practice executes — and ideally every existing one — should require vendors to cooperate with regulatory investigations from federal and state authorities, and to provide forensic data sufficient for the covered entity to meet its own notification obligations. |
|
4 |
Confirm at least one offline, tested backup. Following CISA's isolation and recovery guidance, your practice needs a backup that is physically or logically disconnected from your production network, that cannot be encrypted by ransomware reaching your systems, and that has been successfully restored from at least once in the last 90 days. "We have backups" is not the same as "we have recovery." |
|
5 |
Update your risk analysis scope. If your most recent HIPAA risk analysis does not name your imaging systems, your PACS infrastructure, and your backup architecture by system, it does not satisfy §164.308(a)(1)(ii)(A). The Top of the World Ranch settlement from Q1 was $103,000 for exactly this gap. |
|
|
Five Questions. Five Uncertain Answers.
The free HIPAA Risk Assessment converts that uncertainty into a documented finding in under 30 minutes — and gives you the artifact OCR will ask for if they come knocking.
|
|
|
What This Points To
The Q1 finding was that a handful of upstream vendors and a handful of structural failures drove most of healthcare's breach impact. Two weeks of Q2 data have not changed that picture. Hacking/IT incidents drove 71% of this window's filings — almost exactly the 70% figure we reported on April 15. The DICOM finding is the vendor-pathway story applied to imaging. Conduent's stonewalling is the BAA cooperation story made enforceable. And OpenLoop Health — flagged in the April 15 issue as the most significant single-entity breach by individual impact — appeared in HHS OCR data on May 11 with a 716,000-individual filing.
The independent practice's exposure is not primarily what's happening inside its own four walls. It's what's happening at the vendors, at the imaging equipment manufacturers, at the federal systems your patients are reflected in, and at the network ports nobody documented. The work of HIPAA compliance in 2026 is increasingly the work of knowing where your data lives once it leaves your control.
| |
|
Patient Protect
We built Patient Protect for exactly this picture.
Vendor inventory. BAA tracking with cooperation language. Continuous risk analysis with imaging in scope. Offline backup verification. Audit-ready documentation. All sized for independent practices, all in one place. $39/month, no contracts, 14-day free trial.
|
|
|
Worth Reading
| |
DICOM Exposure Coverage — HIPAA Pulse →
Full editorial coverage of the Trend Micro DICOM finding, including the technical mechanism, the regulatory exposure under §164.308 and §164.312, and the controls that close the gap.
|
| |
CISA Isolation & Recovery Guidance →
CISA's May 7 advisory urging critical infrastructure operators — healthcare explicitly named — to invest in isolation and recovery capabilities. The framing for what "operational continuity" means under nation-state threat conditions.
|
| |
Q1 2026 State of Compliance →
The 38-page research paper underlying the Q1 concentration finding. The vendor-pathway pattern Q2 is now confirming. Methodology, source breakdown, the four breaches that drove 67.6% of impact.
|
|
|
Closing Note
Two weeks from now, Q2 will be half over and OCR's investigation backlog will tell us whether the Top of the World Ranch precedent is going to produce more risk-analysis-focused settlements in the months ahead. The bet from our side is that it will. The new Security Rule is not finalized yet, but the enforcement posture has already moved.
Next Pulse drops May 27.
A note for readers who track these things: editorial breach coverage has moved to its own home at hipaapulse.com. The operational response — what to do about each story, in Patient Protect terms — continues at patient-protect.com/hipaa-pulse. This briefing keeps coming from Patient Protect.
|
|
|
|
