Millions of medical data containing information of patients unprotected in the network

Based on German TV program of Maximilian Zierer and Hakan Tanriverdi, BR Recherche/BR Data 

Highly sensitive medical data, including patients from Germany, the US and many other countries have landed on unsecured servers, according to research by the Bayerischer Rundfunk with the US investigative platform ProPublica. Everyone could have accessed it.

Breast cancer screening, spinal images, chest X-rays, the pacemaker is easily recognisable. They are the most intimate images that have been freely available on the internet for years. These datasets from millions of patients worldwide are stored on unprotected servers. Thousands of patients from Germany can also be found in this data leak. This has resulted in a joint evaluation of the Bayerischer Rundfunk and the US research portal ProPublica.

The pictures are high-resolution and peppered with lots of information. Almost all of them are personal: date of birth, first name and surname, date of examination and information about the attending physician or the treatment itself.

X-rays of patients on Internet

According to BR research, in Germany more than 13,000 data sets are affected by patients, more than half contain images: they were accessible until last week and come from at least five different locations. The majority of the data are from patients in the Ingolstadt area and from Kempen in North Rhine-Westphalia.

Worldwide, the dimension is significantly larger, servers around the world are unprotected: In about 50 countries from Brazil to Turkey to India 16 million data sets are to be open on the net. Particularly affected are patients from the USA. According to an evaluation of ProPublica alone, more than one million data sets of patients were available from a single supplier for radiological examinations.

Patient data easy to find

When patients are examined in an MRI tube, two-dimensional and three-dimensional images of the inside of the body are created. These images are sent by the devices to a dedicated server used for image archiving, a Picture Archiving and Communication System (PACS). Also X-rays and images from computed tomography land on these servers.

If the servers are not sufficiently secure, it is trivial to get to the data, explains the expert for information security Dirk Schrader. He contacted the Investigative and Data Journalists of the Bavarian Broadcasting Corporation, having found more than 2300 computers worldwide that contained these datasets. The servers were unprotected.

No passwords, no privacy.....

Schrader speaks of a "near real-time access". One access, almost in real time. "In the systems I reviewed, I had the impression that in case of doubt, I would even be able to access the image earlier than the doctor," he says.

Journalists from BR Recherche / BR Data have reconstructed Schrader's approach. It was also randomly contacted and confirmed the authenticity of the data.

German Data Protection Officer: "This is nobody's business"

The Federal Commissioner for Data Protection, Ulrich Kelber, speaks of a "devastating first impression", as the reporters show him a patient record in anonymous form. He warns of possible consequences: "You do not want an employer, an insurance company, a bank knows this data and gives them no contract or no credit." These data would make up our digital identity, "they do not belong in the hands of third parties."

Sebastian Schinzel, Professor of IT Security at Münster University of Applied Sciences, also speaks of a "tangible scandal". He is currently working on a project in North Rhine-Westphalia to improve cyber security for the healthcare industry: "These data are highly sensitive, and of course I do not want it to be on the Internet without password authentication, which I find catastrophic . "

German IT Security Authority informs 46 countries

Dirk Schrader also contacted the Federal Office for Information Security (BSI), which is responsible for IT security. On request, a spokesperson said that 17 cases had been investigated and "three institutions directly informed about the facts".

For legal reasons, the BSI is not allowed to access the data itself. In the remaining 14 cases, where the IP address alone was not sufficient to identify the leak, they contacted the Internet providers. These were now required to inform the affected institutions. In addition, authorities in 46 countries have been contacted.

Several servers with sensitive patient data were available by BR information until last week, including a server with 7,000 patient data in Bavaria. The Bavarian State Office for Data Protection Supervision is in contact with the operator of the server, as a spokesperson informs in writing on request. The next steps are now being examined: "This can go from obvious measures such as improved IT security to the initiation of a fine." The BR contacted him with known locations. Meanwhile the servers are off the net.

Data leak was not taken seriously

Already in 2016, Oleg Pianykh, professor of radiology at Harvard Medical School, published a study on unprotected PACS servers. He had found more than 2700 open systems at that time: "We have a huge problem with medical devices that are completely unsecured and unprotected, and anyone, any hacker, can connect to these devices and compromise patient records," he says Pianykh in an interview with the BR and ProPublica.

In professional circles, the study of Pianykh was indeed noted, but apparently no one saw reason for action. After all, the US researchers have not checked whether there were real data on the servers, it says from the industry. So many records of patients are still unsecured on the net.............