Skip to main content

700 Million Medical Records Exposed: What You Need to Know

Multiple images of a CT scan of a human head.
(Image credit: Sved Oliver/Shutterstock)

Medical records of 24 million people can easily be found online on 590 servers in 52 countries, including the United States, the United Kingdom and Canada. 

The data includes X-ray images and CT and MRI scan results, as well as patients' names, dates of birth and government ID numbers, including Social Security numbers. Affected U.S. residents numbered 13.7 million, more than half the total.

"Many [of these servers] have no protection, aren't password protected or encrypted," said Greenbone Networks, the German information-security firm that found the records, in a blog posting. "You don't need to be a hacker to gain access to this highly sensitive data; it's all visible with the help of freely available tools."

MORE: Identity Theft Victim? Here's 6 Things You Need to Do

All told, about 737 million medical images were stored on these servers worldwide, of which 400 million could be viewed or downloaded without a password. Greenbone Networks said it did not download any of the data.

Unfortunately, there's not much that patients can do about this. The vulnerable servers belong to medical clinics, radiology practices and other small healthcare providers, who are responsible for their own security. 

The German broadcaster Bayerische Rundfunk and the American nonprofit media outlet Pro Publica got early access to the Greenhouse Networks and then did their own scans for vulnerable medical-images servers. They contacted several affected medical providers as a result, but only some secured their servers.

Pro Publica recommends that patients ask their physicians or other healthcare providers if access to their medical images requires a password. But that's assuming that patients can get a straight answer, or that medical personnel even know the answer.

An identity-theft bonanza

Sloppy information security is a systemic problem in the healthcare industry, which relies on quick and easy access to medical records in order to provide speedy and accurate care. There are standards for protecting medical records from digital exposure, but they are not universally implemented.

Because medical records hold so much patient personal information, they are a bonanza for identity thieves, who have been raiding medical records for more than a decade, often with the aim of using the stolen data to get other people's tax refunds.

"This data could be exploited by attackers for various purposes," said the official Greenbone Networks report

"These include publishing individual names and images to the detriment of a person's reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as Social Security Numbers, in preparation for identity theft."

Outmoded standards

The nearly 600 vulnerable systems that Greenbone Networks found are Picture Archiving and Communication System (PACS) servers that healthcare providers use to store and access medical images.

The PACS servers adhere to a protocol called Digital Imaging and Communications in Medicine, or DICOM, that was developed in the 1980s to make it easy for medical providers to share diagnostic images over public computer networks.

"Anyone can access a significant number of these systems and, what's more, they can see everything that's stored on them," said Greenbone Networks.

The Greenbone researchers used the search engines Shodan and Censys.io, which search for non-PC internet-connected devices, as well as other sources to find the vulnerable PACS servers online. 

They used a commercial DICOM file-viewer software product to view the images. A software license costs about $100 per year, but you can download and use a fully functional trial version on any Windows PC.

About 40 of the systems didn't even use DICOM, but used the common HTTP or FTP protocols instead, which meant they could have been viewed by anyone with a web browser.

In its blog posing, Greenbone Networks called the whole thing "a massive global data leak waiting to happen."