Cybersecurity researchers from CybelAngel, a provider of digital risk protection services, uncovered a massive data leak incident that exposed millions of medical-related sensitive images, X-rays, CT scans, and personal health care information (PHI). The images are openly accessible on unsecured servers, allowing anyone to exploit them.
The data breach came to light after CybelAngel’s six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the communication standards used by health care providers to send and receive medical data.
CybelAngel’s researchers examined over 4.3 billion IP addresses and found more than 45 million unique medical images that are left exposed on 2,140 unprotected servers across 67 countries, including the U.S., the U.K., and Germany. “The analysts found that openly available medical images, including up to 200 lines of metadata per record, which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords,” the researchers explained.
David Sygula, Senior Cybersecurity Analyst at CybelAngel, said, “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by health care professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Todd Carroll, CybelAngel CISO, said, “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the health care institutions that are governed by regulations to protect patients’ data.”
The health care sector suffered various challenges in medical data security. While opportunistic cybercriminals are preying on sensitive medical information by exploiting the pandemic, health care providers must boost their cybersecurity posture to protect their patients’ personal data.
