Millions of patient scans and health records leaked online
Personally Identifiable Information (PII), as well as a large number of medical records from millions of patients around the world, have been found on the Internet and are available to anyone who knows where to look.
These are the findings of Aplite, which claimed to have found more than 3,800 accessible PACS servers. For the uninitiated, PACS is an abbreviation for Picture Archiving and Communications Server, a server used to store, retrieve and access medical images.
These images are called Digital Imaging and Communications in Medicine (DICOM) and have been the standard in the medical industry for decades. The servers were found in more than 110 countries and exposed sensitive information about approximately 16 million patients.
Growing problem
The data made public includes patient names, genders, addresses, telephone numbers and in some cases social security numbers. The researchers also said they found 43 million health records, such as study results, study dates and the details of the doctor who conducted the study.
Aplite took more than six months to collect all the data and discovered that most of the servers were located in the US, India and South Africa.
Moreover, the majority (at least 70%) are hosted on cloud services such as AWS or Azure. Sina Yazdanmehr, a senior IT security consultant at Aplite, told TechCrunch that less than 1% of DICOM servers on the Internet are properly secured.
“When we did this research, we realized that medical organizations had begun the shift to cloud and modernization; major players went to the cloud because they could afford it and had the infrastructure,” the researcher noted. “But this digitalization is forcing small businesses that don't have the resources or budget – just one DSL line – to catch up.”
This is a growing problem, the researchers warn. Every day, new hospitals move to the cloud and generate additional data that ends up on these unprotected servers.
Through TechCrunch