A Senator publicly shamed the U.S. Department of Health and Human Services (HHS) on Friday, following up on a recent report that 16 million records were exposed, available to anyone to access and download.

Senator Mark. R. Warner (D-VA) wrote a letter (.PDF) to the Director of the HHS' Office for Civil Rights, Roger Severino, on Friday, asking a handful of questions about the breach, including why it didn't list TridentUSA Health Services, one of the companies responsible for leaking the data, on its breach portal website.

The letter was prompted by joint research carried out by ProPublica and German broadcaster Bayerischer Rundfunk earlier this year that found millions of patient X-rays and MRIs available on servers worldwide. The researchers discovered data from 52 countries, including more than 13.7 million medical tests from the U.S. - 400,000 of which had X-rays associated with them.

The ProPublica piece was based research via Greenbone Networks, a security firm based in Germany, which uncovered the servers - five in Germany and 187 in the U.S. - that were made available to users without a password.

Per reports, the German researchers contacted the German Federal Office for Information Security (BSI) about the issue. BSI in turn went on to alert the United States Computer Emergency Readiness Team (US-CERT) which informed HHS. It's unclear what HHS did with this intel however.

The cause of the breach is complicated. The root of the incident is tied to old, unsecure picture and archiving servers (PACS) that use the Digital Imaging and Communications in medicine protocol, DICOM. Researchers found that because of a flaw in DICOM, attackers could insert a few lines of code to retrieve images from these servers. As if having the images exposed wasn't bad enough, the report discovered that the names and social security numbers of victims were also exposed.

Warner took Severino to task Friday, asking HHS what it did to address the open ports and what it’s doing about PACS security.

Warner also asked Severino about the evidence it requires organizations to produce during a HIPAA Security Rule audit, whether OCR has the necessary information security experts on staff or whether it relies on outside consultancies to carry out audits.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” Warner wrote Friday.

While TridentUSA wasn't technically named in the ProPublica piece, one of its affiliates, MobilexUSA, a mobile imaging services provider was culpable. One of its servers was left unsecured, spilling the names - in addition to dates of birth, doctors, and procedures - of more than 1 million patients.

Warner wrote to that company's CEO in September, shortly after the ProPublica piece was published, to inquire about the company's server encryption practices, how often it performs vulnerability scans and HIPAA-compliant audits, and whether it maintains audit trails for PACS.

When it comes to the HHS, specifically Warner is curious about some inconsistencies between TridentUSA and the OCR. In a letter from TridentUSA, the company claimed it demonstrated compliance with the HIPAA Security Rule in March 2019 while patient imagies were online.

"While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way," Warner wrote.

Warner, who’s also Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, hasn’t been one to shy away from highlighting information security issues. Earlier this year the Senator called on the healthcare industry to do better when it comes to preventing cyberattacks, described how he'd like to develop a national strategy to secure supply chains security, and reign in IoT security security thresholds.