Medical images and details of 24.3 million patients left exposed on the internet

When we think about our data being leaked onto the internet, we often picture it as our financial records, our passwords, our names and addresses… but what about our private medical information?

Researchers at Greenbone Networks discovered that confidential images of X-rays, CT and MRI scans related to millions of patients has been left unprotected on hundreds of servers used by health providers worldwide.

Analysing 2,300 medical image archive systems around the world in the last two months, Greenbone’s team found 590 were freely accessible, containing records of 24.3 million patients in 52 different countries.

Exposed information included patients’ names, dates of birth, dates of examination, the attending physician, and some medical information about the purpose of the examination. In addition, 13.7 million of the compromised records included the social security numbers of American patients.

Attached to the exposed patient data were more than 737 million images, with approximately 400 million easily downloadable via the internet. In some cases the imaging servers even allowed the patient data to be downloaded via an unencrypted HTTP connection… D’oh!

Remember, Greenbone’s researchers did not have to exploit a software vulnerability or crack a password to access this treasure trove of medical data. All they had to do was visit publicly-accessible webpages, where no thought had seemingly been put into securing the details with even the simplest of passwords.

It’s clearly horrendous that names, dates of birth, and social security numbers have been spilled due to the sloppy lack of security in place at the imaging servers.

But the fact that the systems also exposed X-rays, CT and MRI scans, and other deeply personal health records, opens more opportunities for a criminal – including even to potentially blackmail individuals in the public eye who don’t want their medical issues shared with the world.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.