Millions of patient scans and health records leaked online

Doctor working on laptop
Image Credit: Pixabay (Image credit: Image Credit: Pixabay)

Personally identifiable information (PII), as well as plenty of medical records belonging to millions of patients across the world have been found exposed on the internet and available to anyone who knows where to look.

These are the findings of Aplite, which claimed to have found more than 3,800 accessible PACS servers. For the uninitiated, PACS is short for Picture Archiving and Communications Server, an used for storing, retrieving, and accessing medical images. 

These images are called Digital Imaging and Communications in Medicine (DICOM) and they’ve been the medical industry standard for decades. The servers were found in more than 110 countries and exposed sensitive information on roughly 16 million patients.

Growing problem

The data that was exposed includes patient names, genders, addresses, phone numbers, and in some cases Social Security numbers. The researchers also said that they found 43 million health records such as examination results, examination dates, and the details of the physician who conducted the examination. 

Aplite took more than six months to gather all of the data, finding most of the servers are located in the US, India, and South Africa.

What’s more, the majority (at least 70%) are hosted on cloud services such as AWS or Azure. Speaking to TechCrunch, Sina Yazdanmehr, a senior IT security consultant at Aplite said fewer than 1% of DICOM servers on the internet are properly secured. 

“When we did this research, we realized that medical organizations had started the shift towards the cloud and modernization; big players went to the cloud because they could afford it and have the infrastructure,” the researcher noted. “But this digitalization forces small businesses that don’t have the resources or budget — just one DSL line — to catch up.”

This is a growing problem, the researchers warn. Every day, new hospitals are moving to the cloud and generating additional data that ends up on these unprotected servers.

Via TechCrunch

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.