The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.

The findings are revealed in new research, ‘Full Body Exposure’, the result of a six-month CybelAngel investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data.

CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries, including the UK, US and Germany. The analysts found that openly available medical images, embracing up to 200 lines of metadata per record, which included PII (personally identifiable information; name, birth date, address etc) and PHI (height, weight, diagnosis etc), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords.

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” says David Sygula, senior cybersecurity analyst at CybelAngel and author of the report. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

Todd Carroll, CybelAngel CISO, further comments: “Medical centres work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data. The health sector has faced unprecedented challenges this year. However, the security and privacy of their patients’ most personal records must be protected to prevent highly confidential data falling into the wrong hands.”