Researchers today reported finding more than 45 million medical imaging files online that included X-rays and CT scans on unprotected servers. The files included sensitive data that contained personal health care information, available unencrypted and without password protection.
The report was based on six months of research by CybelAngel, which took a deep-dive into the network attached storage (NAS) and digital imaging and communication in medicine (DICOM) technology used by medical professionals to send and receive medical data.
Today’s breach was even bigger than the one exposed last year following an investigation by ProPublica, where the medical records of 5 million U.S. patients and millions of others worldwide were left unprotected online.
According to the study released today, CybelAngel tools scanned about 4.3 billion IP addresses and found the millions of images exposed on more than 2,140 unprotected servers across 67 countries, including the United States, France and Germany.
The researchers found that openly available medical images – including up to 200 lines of metadata per record – could be accessed without the need for a user name or password. In some cases, log-in portals accepted blank user names and passwords. Many of the records included personally identifiable information such as names, birth dates and addresses.
David Sygula, senior cybersecurity analyst at CybelAngel pointed out that the team did not use any hacking tools to do the research, underscoring the ease with which they could discover and access the medical data.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by health care professionals,” Sygula said.
Dirk Schrader, global vice president at New Net Technologies, added that bad threat actors can use the unprotected medical data of thousands of patients in many ways, especially when the data contains details like insurance information, social security numbers, and birth dates.
“This allows for medical identity theft which can cost the victim several thousands of dollars," Schrader said. “Next to this risk is the value of such a PHI data set if sold on the dark web, potentially tagged $1,000 per set. There are also risks related to the disclosure of such information to an employer or a credit lender. The interesting parts of the report are about the actual compromise of some systems the researchers have discovered, the URL redirect and the XSS attack attempt. This confirms an indication for compromise we found during our research.”
Vinay Sridhara, CTO at Balbix said this most recent breach illustrates the challenges of securing increasingly complex digital ecosystems, particularly in sensitive industries like health care.
“To mitigate vulnerabilities across an organization’s entire IT infrastructure and safeguard databases, it is crucial that health care organizations achieve clear and comprehensive visibility over all assets, threats and risks across their networks,” Sridhara said. “This includes paying special attention to password hygiene, the use of weak or missing credentials and password reuse across the enterprise.”