Lax security or lack of technical skills leaves many businesses and professions wide open to data breaches and leaks. In other words, sometimes information is stolen by hackers but many times the companies themselves are to blame for not securing their data.
The latter is the case in this latest massive data leak that has exposed millions of medical images such as X-rays and MRIs for anyone to see. No hacker skills are needed to access this sensitive data.
The medical images come from patients around the world, including the U.S. We’ll tell you how this leak happened and what specific information has been exposed, as well as what kinds of scams can be used with the data.
Medical images found on unsecured servers
Greenbone Networks, a German cybersecurity firm, was the first to sound the alarm about the estimated 733 million medical images that can easily be accessed on the internet. They knew that servers holding medical records were vulnerable to attacks or leaks, but were surprised by the depth and breadth of the problem.
The health care industry uses Picture Archiving and Communication Systems, or PACS servers, to archive medical images to make them available to attending physicians. Between mid-July 2019 and early September 2019, Greenbone Networks analyzed about 2,300 internet-connected PACS servers worldwide and found that hundreds do not have any kind of protection.
These unprotected servers contained 24.3 million data records from around the world that can easily be accessed by the public. The unprotected servers exposed:
- Full names
- Dates of birth
- Dates of examinations
- Scope of the examinations
- Type of imaging procedure
- Attending physicians’ names
- Where procedure took place
- Number of generated images
The number of images contained in the data is estimated at 733 million, of which almost 400 million can be accessed, displayed and downloaded. Greenbone researchers say this is one of the largest data glitches worldwide to date. Patients in 52 countries are affected.
The leaked medical images are in direct violation of several countries’ patient privacy laws. In the U.S., the Health Insurance Portability and Accountability Act’s (HIPPA) Security Rule. The rule established national standards for securing patient data that is stored or transferred electronically.
Patients are advised to ask their doctors or other health care providers whether their access to your images requires a login and password. Also, patients should ask the medical imaging provider if cybersecurity assessments are conducted regularly as mandated by HIPPA.
Dark ways to use the data
Greenbone calculated that the data could be worth up to $1.2 billion on the Dark Web. Any bad actors who get their hands on the unsecured data can also wreak havoc on people’s lives through various scams. Among them are:
Medical Identity Theft
The medical information can be used to obtain medical services such as prescriptions, surgery or other medical treatments, and counterfeit settlements against health insurers.
Weaponizing of Medical Data
Bad actors could use the sensitive medical data to extort money, disparage someone by false or real additional data, or exploit individuals who are in the public eye.
Personal information can be used to commit financial fraud. This could be done through loans and credit lines that are often linked to health data and tax fraud through false billing.
Greenbone says there is no wholesale fix. It is up to the owners and operators of each compromised server to secure the data.
Servers owned by U.S. companies have a very strong incentive to safeguard their servers. Under HIPPA they could face fines of up to $1.5 million as well as jail time.