Over 45 million medical imaging files including X-rays and CT scans have been found sitting unprotected on internet-facing servers and accessible for anyone to view.
The discovery of the leaked data from hospitals and medical centers from around the world was the result of a six-month-long investigation by CybelAngel’s research team into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM). The investigation uncovered millions of unique images stored on more than 2,140 unprotected servers located across 67 countries including the United States, the United Kingdom and Germany.
However, to make matters worse, some images included dozens of lines of metadata per record disclosing Personally Identifiable Information (PII) such as names, birth dates, addresses, and personal healthcare information indicating patient’s height, weight, and even diagnosis.
The sum of all the data could allow threat actors with malicious intent to create a comprehensive portrait of their potential targets. This could lead to the affected patients becoming victims of identity theft, phishing, extortion, financial and other types of fraud. Alternatively, cybercriminals could also sell the data on dark web marketplaces.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach,” said David Sygula, a Senior Cybersecurity Analyst at CybelAngel.
Since some of the medical institutions are located in the European Union (EU), they are subject to the EU’s General Data Protection Regulation, which means that the failure to secure patients’ sensitive data could lead to penalties and legal actions.
Misconfigured and unsecured internet-facing databases can hardly be considered an uncommon occurrence. The investigation may bring echoes of a similar incident we reported on earlier this year which involved sensitive plastic surgery photos being exposed online.