X-Ray Film Scanners and Digitizers, X-Ray Film Scanning Services and Software

Prevent Data Breaches from X-Ray Film

posted Apr-17-2015

Over the past few years there have been reports of multiple cases of data breaches attributed to improper handling of X-ray film.  Scams related to X-ray film have been on the rise as healthcare organizations have moved into direct digital radiography.  This move to all digital has left hundreds of thousands of X-ray film records in its wake.  Most, if not all of this old X-ray film is stored in X-ray archives, either within the walls of the healthcare facility, or in specially equipped storage facilities.

data_theft_smallOnce a healthcare organization has gone fully digital, the problem becomes what to do with the X-ray film files.  Some of the X-ray film and reports may need to be scanned for incorporation into the digital system.  All of the film will at some point, need to be destroyed.

It’s those two points of outside contact – a scanning facility and/or a recycling facility – that are rife with scam potential.

How Data Breaches Occur

Some scams involve out-right theft of the film in order to harvest the silver.  This is an especially attractive option for thieves when silver prices are high.  These thieves usually pose as legitimate X-ray recyclers.  They’re literally invited in by the healthcare facility, which is eager to clean their X-ray storage area.  The thieves load the boxes of X-rays into a truck and drive off, leaving a happy healthcare organization behind.  It’s not until weeks later, when neither a check for the silver content nor a recycle certificate shows up that the healthcare facility realizes they’ve been had.

Some scams are more sophisticated, involving not only the harvesting of silver, but the harvesting of patient data as well.  Often these thieves pose as an x-ray scanning operation, and, may, in fact, have access to scanning equipment that enables them to quickly harvest patient data, which may include SSNs from the X-ray reports. These thieves get paid twice…once when they sell the harvested patient data and again for the silver content when they off-load the film to a recycler.

Some examples of these kinds of data breaches include:

  • In 2013, Raleigh Orthopaedic Clinic provided patient X-rays to a third-party vendor, which sold the films to an Ohio-based recycling company that harvested the silver from the X-rays.  The clinic had to notify more than 17,000 patients that their personal data may have been compromised.
  • In 2011, Knox Community Hospital in Mount Vernon, Ohio fell prey to a similar scam in 2011 when it sent its films to a scammer posing as a recycling company.

These X-ray scams are just two examples that show how data breaches occur without involving hacking into a company’s computer networks. In fact, experts often point out that physical records (paper, film) may be more susceptible to theft or loss than properly protected redundant digital records.

What to Do if You’ve Had a Breach

What does a healthcare organization do when they’ve had a theft, loss or other breach of physical records?  Under federal data breach rules established in 2009, hospitals and other so-called covered entities like doctors’ offices often have to report data breaches, whether paper or digital,  to the U.S. Department of Health and Human Services, and in many cases, also to the individual patients whose information was involved.

Calling thousands of people to make them aware that their X-rays had been stolen can be a difficult job. At first the patient may not understand the significance of a stolen X-ray of their broken foot from eight years ago.  The healthcare facility needs to explain that the X-Ray contains personal identifying information, including the patient’s full name, address, date of birth, medical record number, and even social security numbers on some.  Some providers may no longer have current contact information for some patients who may be affected, so notification becomes even more difficult, and may required posting a notice on their website.

Minimize Risk

While anyone can be “taken,” some simple due diligence before you hire a scanning/recycling vendor can go a long way toward minimizing risk:

  • Make sure that your facility is properly insured for all risk
  • Thoroughly vet each vendor prior to hiring
  • Use a published RFQ process to attract vendors
  • Tour the vendor’s site prior to hiring, if at all possible
  • Request and verify references
  • Check with the local EPA office for a list of verified recycle
  • Have procedures in place for receiving and verifying outside contractors

If this seems like a lot of precaution just to digitize and destroy old X-ray film, remember the how time consuming and costly, not to mention embarrassing, it will be if your patients’ data is exposed.


Request A Quote for X-Ray Film Scanning