Millions of medical scans and records lying unprotected on the internet, claim researchers

Medical details of around 24 million patients are freely accessible on the internet, warn researchers

Medical records of around 24 million patients are freely available on the internet, according to an investigation by researchers at German cyber security firm Greenbone Networks.

Following an analysis of medical image archiving systems used across the world, the researchers found that 590 such systems, containing more than 700 million images, are running unprotected on the public internet. The images being leaked include CT scans, X-rays and MRIs, with almost 400 million images available for download, without restrictions.

The researchers identified 187 unprotected servers in the US alone

Researchers blame careless configuration of PACS (Picture Archiving and Communication Systems) servers for this massive data leak on internet. PACS servers are used by hospitals and independent medical centres to store and access medical images.

Researchers found that many PACS servers are implemented with no security measures in place to protect the sensitive data stored on them. The servers are neither encrypted nor password protected, meaning that any individual on the internet can easily gain access to confidential patient data by following a few simple steps.

In some cases, free software - or even just a web browser - could enable intruders to view the images and private data (such as name, date of birth, examination details, name of the specialist, and so on) of patients.

In addition, these systems were also found to be affected by a large number of "real" vulnerabilities, such as faulty database instances or outdated web server versions. Such unprotected systems were found in 52 countries across the world by the researchers.

In a separate investigation, ProPublica and German public broadcaster Bayerischer Rundfunk found the records of more than five million US patients lying unprotected on the internet. The researchers identified 187 unprotected servers in the US alone.

"It's not even hacking. It's walking into an open door," said Jackie Singh, the chief executive of the consulting firm Spyglass Security.

According to ProPublica, the extent of the leak varies depending on the health provider and the software being used by them. For example, the server of American firm MobilexUSA was found to be revealing the details of over one million patients by just typing a simple data query.

MobilexUSA secured its systems last week after being alerted by ProPublica. ProPublica said it has found no evidence, so far, of patient data being copied or downloaded from unprotected systems and published elsewhere.