Medical records of 24 million people can easily be found online on 590 servers in 52 countries, including the United States, the United Kingdom and Canada.
The data includes X-ray images and CT and MRI scan results, as well as patients' names, dates of birth and government ID numbers, including Social Security numbers. Affected U.S. residents numbered 13.7 million, more than half the total.
MORE: Identity Theft Victim? Here's 6 Things You Need to Do
An identity-theft bonanza
Sloppy information security is a systemic problem in the healthcare industry, which relies on quick and easy access to medical records in order to provide speedy and accurate care. There are standards for protecting medical records from digital exposure, but they are not universally implemented.
Because medical records hold so much patient personal information, they are a bonanza for identity thieves, who have been raiding medical records for more than a decade, often with the aim of using the stolen data to get other people's tax refunds.
"This data could be exploited by attackers for various purposes," said the official Greenbone Networks report.
"These include publishing individual names and images to the detriment of a person's reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as Social Security Numbers, in preparation for identity theft."
Outmoded standards
The nearly 600 vulnerable systems that Greenbone Networks found are Picture Archiving and Communication System (PACS) servers that healthcare providers use to store and access medical images.
The PACS servers adhere to a protocol called Digital Imaging and Communications in Medicine, or DICOM, that was developed in the 1980s to make it easy for medical providers to share diagnostic images over public computer networks.
"Anyone can access a significant number of these systems and, what's more, they can see everything that's stored on them," said Greenbone Networks.
The Greenbone researchers used the search engines Shodan and Censys.io, which search for non-PC internet-connected devices, as well as other sources to find the vulnerable PACS servers online.
They used a commercial DICOM file-viewer software product to view the images. A software license costs about $100 per year, but you can download and use a fully functional trial version on any Windows PC.
About 40 of the systems didn't even use DICOM, but used the common HTTP or FTP protocols instead, which meant they could have been viewed by anyone with a web browser.
In its blog posing, Greenbone Networks called the whole thing "a massive global data leak waiting to happen."
