Simply put, text messaging is not secure. There are three significant issues:
The NSW Privacy Manual for Health Information suggests it is acceptable to use SMS (if you document consent) although it is disallowed elsewhere. We recommend against using SMS given the SS7 vulnerability. Here is a sobering report by 60 Minutes (Australia) showing just how easy it is for those with nefarious intent to intercept text messages.
It should be noted here, that a potential solution is to encrypt data on the device before sending it (which is what PicSafe does) or use messaging services that use end-to-end encryption (many of which have issues).
As well as removing photos from your gallery, all patient data should be manually removed from the messaging app once sent and viewed by following these steps:
Unfortunately, on Android messages are not permanently deleted. When files are “deleted” on Android, really all that happens is the operating system labels the disk space that stores the file as free space. The data is still there, and off-the-shelf data recovery tools can easily recover it. What do we do about this? There are numerous free apps in the Google Play Store, Secure Eraser, that will allow you to delete these files properly. Tools like Secure Eraser write over the so-called free space with random data. You should probably install and use a tool like this to remove all “deleted" data.
As stated above, if you're using an iPhone, SMS messages are being bundled together with iMessage messages (Apple's messaging platform). By default, if you are sending a message from an iPhone to a recipient with an iPhone it is sent through iMessage. That means Apple servers store patient data and it has travelled overseas. You should turn off iMessage if you wish to use SMS for sending patient data.
Of course, you can use a service like PicSafe where all data is encrypted and decrypted using a key acquired from a PicSafe Key Server.