Millions of sensitive medical records are exposed online for anyone to see

Millions of sensitive medical records are exposed online for anyone to see

Lax security or lack of technical skills leaves many businesses and professions wide open to data breaches and leaks. In other words, sometimes information is stolen by hackers but many times the companies themselves are to blame for not securing their data.

The latter is the case in this latest massive data leak that has exposed millions of medical images such as X-rays and MRIs for anyone to see. No hacker skills are needed to access this sensitive data.

The medical images come from patients around the world, including the U.S. We’ll tell you how this leak happened and what specific information has been exposed, as well as what kinds of scams can be used with the data.

Medical images found on unsecured servers

Greenbone Networks, a German cybersecurity firm, was the first to sound the alarm about the estimated 733 million medical images that can easily be accessed on the internet. They knew that servers holding medical records were vulnerable to attacks or leaks, but were surprised by the depth and breadth of the problem.

The health care industry uses Picture Archiving and Communication Systems, or PACS servers, to archive medical images to make them available to attending physicians. Between mid-July 2019 and early September 2019, Greenbone Networks analyzed about 2,300 internet-connected PACS servers worldwide and found that hundreds do not have any kind of protection.

These unprotected servers contained 24.3 million data records from around the world that can easily be accessed by the public. The unprotected servers exposed:

  • Full names
  • Dates of birth
  • Dates of examinations
  • Scope of the examinations
  • Type of imaging procedure
  • Attending physicians’ names
  • Where procedure took place
  • Number of generated images

 

Related: 8 ways to protect yourself from a medical data breach

 

The number of images contained in the data is estimated at 733 million, of which almost 400 million can be accessed, displayed and downloaded. Greenbone researchers say this is one of the largest data glitches worldwide to date. Patients in 52 countries are affected.

The leaked medical images are in direct violation of several countries’ patient privacy laws. In the U.S., the Health Insurance Portability and Accountability Act’s (HIPPA) Security Rule. The rule established national standards for securing patient data that is stored or transferred electronically.

Patients are advised to ask their doctors or other health care providers whether their access to your images requires a login and password. Also, patients should ask the medical imaging provider if cybersecurity assessments are conducted regularly as mandated by HIPPA.

Dark ways to use the data

Greenbone calculated that the data could be worth up to $1.2 billion on the Dark Web. Any bad actors who get their hands on the unsecured data can also wreak havoc on people’s lives through various scams. Among them are:

Medical Identity Theft

The medical information can be used to obtain medical services such as prescriptions, surgery or other medical treatments, and counterfeit settlements against health insurers.

Weaponizing of Medical Data

Bad actors could use the sensitive medical data to extort money, disparage someone by false or real additional data, or exploit individuals who are in the public eye.

Financial Fraud

Personal information can be used to commit financial fraud. This could be done through loans and credit lines that are often linked to health data and tax fraud through false billing.

Greenbone says there is no wholesale fix. It is up to the owners and operators of each compromised server to secure the data.

Servers owned by U.S. companies have a very strong incentive to safeguard their servers. Under HIPPA they could face fines of up to $1.5 million as well as jail time.

Tags: cybersecurity, hackers, internet, security