Medical images and details of 24.3 million patients left exposed on the internet

Graham Cluley
Graham Cluley
@[email protected]

Medical images and details of 24.3 million patients left exposed on the internet

When we think about our data being leaked onto the internet, we often picture it as our financial records, our passwords, our names and addresses… but what about our private medical information?

Researchers at Greenbone Networks discovered that confidential images of X-rays, CT and MRI scans related to millions of patients has been left unprotected on hundreds of servers used by health providers worldwide.

Analysing 2,300 medical image archive systems around the world in the last two months, Greenbone’s team found 590 were freely accessible, containing records of 24.3 million patients in 52 different countries.

Sign up to our free newsletter.
Security news, advice, and tips.

Exposed information included patients’ names, dates of birth, dates of examination, the attending physician, and some medical information about the purpose of the examination. In addition, 13.7 million of the compromised records included the social security numbers of American patients.

Attached to the exposed patient data were more than 737 million images, with approximately 400 million easily downloadable via the internet. In some cases the imaging servers even allowed the patient data to be downloaded via an unencrypted HTTP connection… D’oh!

Medical images and details of 24.3 million patients left exposed on the internet

Remember, Greenbone’s researchers did not have to exploit a software vulnerability or crack a password to access this treasure trove of medical data. All they had to do was visit publicly-accessible webpages, where no thought had seemingly been put into securing the details with even the simplest of passwords.

It’s clearly horrendous that names, dates of birth, and social security numbers have been spilled due to the sloppy lack of security in place at the imaging servers.

But the fact that the systems also exposed X-rays, CT and MRI scans, and other deeply personal health records, opens more opportunities for a criminal – including even to potentially blackmail individuals in the public eye who don’t want their medical issues shared with the world.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.