Medical records of millions of people around the world have been left unprotected on the internet due to poor basic security protocols or a lack of passwords, an investigation has found.
The 16 million datasets, which affect patients in 52 countries, comprise names, dates of birth, X-rays, MRI scans and CT scans — and in some cases include the details of procedures carried out, too.
These vulnerabilities were discovered during a joint investigation by US investigative journalism non-profit ProPublica and Germany’s Bayerischer Rundfunk news outlet.
Among the findings, it discovered five servers in Germany and a further 187 in the US that made patients’ records available online without a password.
ProPublica noted in its report that the findings were unlike typical investigations of security breaches and hacking because much of the data simply lacked security precautions to protect it.
“It’s not even hacking. It’s walking into an open door,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told the outlet.
Meanwhile, security researcher Cooper Quintin said the evidence was “utterly irresponsible”.
He added: “Medical records are one of the most important areas for privacy because they’re so sensitive.
“Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people.”
Following the report, authorities in 46 of the countries affected have been contacted.