More Than 45 Million Medical Images Containing PHI Stored on Unprotected Servers

A study conducted by the cybersecurity firm CyberAngel has revealed more than 45 million medical images are stored on unprotected servers, which can be easily accessed by unauthorized individuals. Those medical images, which include X-Rays, MRI scans, and CT scans, include patient’s personal and protected health information and are neither encrypted nor protected with a password.

The healthcare industry uses Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM) as the standard for storing, transmitting, and receiving medical images; but there is a lack of appropriate protection to ensure that those images – and the PHI they contain – remain private and confidential, as is the case with other stored or transmitted healthcare data.

CyberAngel scanned more than 4.3 billion IP addresses for the study across and identified over 45 million unprotected medical images on more than 2,140 servers in 67 countries, including the United States, United Kingdom, and Germany.

The images were found to contain up to 200 lines of metadata, which is where the protected health information was found. The metadata included a range of personal information, such as names, dates of birth, and addresses, along with health data such as height, weight, diagnoses, and other information.

The images and metadata could be accessed without any hacking tools, often requiring no username or password. In many cases, when a username or password was required, the login portal accepted black usernames and passwords and provided access.

“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals,” said David Sygula, Senior Cybersecurity Analyst at CybelAngel. “A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Patient privacy is being put at risk, but that is not the only issue with the exposure of the images. The data and the images themselves could be used for fraudulent purposes, such as in spear phishing schemes to obtain highly sensitive information such as Social Security numbers for identity theft, or for blackmail or ransomware attacks.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: