Another day, another case of publicly exposed data, and today’s tale of data woe involves 24 million medical records across a possibly record-high 590 online medical image archives systems.

Discovered by German cybersecurity firm Greenbone Networks, the data, which includes X-rays, MRIs and CT scans are open to all and sundry online without password protection. The exposure comes via servers running the Picture Archiving and Communication System, a 1980s-era protocol that was designed to digitize medical images but was not designed for the internet age.

The standard “dictates how medical imaging devices are networked in order to exchange and archive information about patients and images,” Greenbone explained in a blog post Monday. “PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.”

While the exposure of medical scans may not seem that bad by itself, the records included names, dates of birth, dates and details of examinations, treating physicians, clinics and, in the case of U.S., patients’ Social Security numbers as well.

In a separate report, ProPublica claimed the exposed records include 5 million patients in the U.S. across 187 servers. MobilexUSA, a mobile imaging services company named in the report is said to have secured its records prior to publication, but the company is one of many that are exposing the records online.

Along with breaching the European General Data Protection Regulation for patient records in the European Union, the exposures in the U.S. may break the Health Insurance Portability and Accountability Act, a law that requires health data to be kept confidential.

Chris Morales, head of security analytics at artificial intelligence threat detection provider Vectra AI Inc., told SiliconANGLE that the exposure has become all too common.

“The number of compromises based on data being publicly available from unsecured or poorly configured cloud systems isn’t even hacking anymore,” Morales explained. “It is just people poking around the internet to see what is open and available for the taking.”

Morales added that healthcare providers and the large network of service providers the healthcare providers rely on have created a huge gap in responsibility for security patient information. “The software from the providers is built with an assumption that the healthcare provider will secure their network and the healthcare provider is acquiring software with an assumption the software provider is offering secure software,” he said. “As keeps being proven, neither seems to be true.”

The problem is that often systems are brought in by medical staff without the advice of the information technology security team. “It is a complicated network that forces IT security to proactively look for shadow IT systems that could expose data exactly like what is happening here,” he said.

Photo: Pixabay