MRI scans, X-rays and more leaked online in major breach - over a million healthcare devices affected, here's what we know

News
By published

Many healthcare devices are not properly configured or managed

A medical professional working on a digital device with icons floating in the air.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Modat found more than 1.2 million misconfigured devices leaking info
  • This includes MRI scans, X-rays, and other sensitive files, together with patient contact data
  • The healthcare industry needs a proactive approach to cybersecurity, researchers warn

Researchers have warned there are currently over a million internet-connected healthcare devices which are misconfigured, leaking all the data they generate online - putting millions of people at risk of identity theft, phishing, wire fraud, and more.

Modat recently scanned the internet in search of misconfigured, non-password protected, devices and their data, and by using the tag ‘HEALTHCARE’, they found more than 1.2 million devices which were generating, and leaking, confidential medical images including MRI scans, X-rays, and even blood work, of hospitals all over the world.

“Examples of data being leaked in this way include brain scans and X-rays, stored alongside protected health information and personally identifiable information of the patient, potentially representing both a breach of patient’s confidentiality and privacy,” the researchers explained.

Weak passwords and other woes

In some cases, the researchers found information unlocked and available for anyone who knows where to look - and in other cases, the data was protected with such weak and predictable passwords that it posed no challenge to break in and grab them.

“In the worst-case scenario, leaked sensitive medical information could leave unsuspecting victims open to fraud or even blackmail over a confidential medical condition,” they added.

In theory, a threat actor could learn of a patient’s condition before they do. Together with names and contact details, they can reach out to the patient and threaten to release the information to friends and family, unless they pay a ransom.

Alternatively, they could impersonate the doctor or the hospital and send phishing emails inviting the victim to “view sensitive files” which would just redirect them to download malware or share login credentials.

The majority of the misconfigured devices are located in the United States (174K+), with South Africa being close second (172K+). Australia (111K+), Brazil (82K+), and Germany (81K+) round off the top five.

For Modat, a proactive security culture “beats a reactive response”.

“This research reinforces the urgent need for comprehensive asset visibility, robust vulnerability management, and a proactive approach to securing every internet-connected device in healthcare environments, ensuring that sensitive patient data remains protected from unauthorized access and potential exploitation," commented Errol Weiss, Chief Security Officer at Health-ISAC.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.