DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Unprotected patient data in the Internet – a review 60 days later, or The Good, the Bad, and the Ugly

Posted on November 18, 2019 by Dissent

A report by Greenbone Networks in September about the leak of medical images online made waves — including spurring Senator Warner to ask HHS OCR what it was doing in response to the report.

Today, Greenbone reached out to a number of sites to alert us all to an update to their report.

From their executive summary:

After our initial measuring of the depth and breadth of data leaking PACS servers across the globe, we wanted to follow a good, standard information security practice: CONTROL. We were interested to see what – if any – has changed to what extent and decided to do this 60 days after the initial research, as this is the timeline given by the US Department of Health & Human Service for Medical Service Providers to report a major breach affecting 500 or more individuals. The results are mixed, some provide hope that the issue is taken seriously, some other destroy that hope right away.

The overall numbers for studies and images have risen to a staggering level, with studies amounting to 35 million and related images to 1,193,404,000, that is 1.19 billion images, (compared to 24.5 million studies and 737 million images in previous report).

In the following chapters, we sort the affected countries into three groups, which we call

• the “Good”
• the “Bad”, and
• the “Ugly”.

Specially the five countries belonging to the “Ugly” group need immediate attention by their respective Governments (i.e. federal or state-level DPO). Their combined number of datasets represents more than 75% of the full data set scrutinized.

During the initial research and report, we learned a lot and tuned our technology, so that we identified more PACS servers in the base set of IP addresses and added them to the count. For systems which have disappeared, their former count isn’t part of our current calculation anymore.

The highlights for interesting pieces of data and conclusions are:

  • 129 new archiving systems found, and 172 went off grid
  • 11 countries managed to take all PACS system off the public Internet, and nine ‘new’ countries got added to the overall data.
  • USA and Ecuador have largely increased numbers of studies, PII, and images accessible.
  • One system in the US is the largest so far (from an accessible image count perspective) and
    contains SSN’s for approx. 250,000 individual US citizens.
  • Indications exist that Turkish PACS servers contain scans of Turkish National ID cards, accessible from the public Internet.
  • One archive contains data from US army hospitals, where the patient IDs appears to be the DoD ID.
  • Proper controls, like those mandated by HIPAA in the US are largely missing
  • The potential financial risk related to Medical Identify Theft is amounting to $ 5.3 billion

We stated before that the information held by all the servers we found is covered by laws and regulations of the various countries and regions, like GDPR in Europe, HIPAA in the US and others.

  • South Africa: Protection of Personal Information Act (POPI Act)
  • Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD
  • India: Information Technology Act 2000, Data Privacy Rules

It is sort of telling that as of NOV 12, 2019, we haven’t seen any reporting of specific PACS systems allowing access from the public Internet in the data breach list provided by HHS. We will continue to
monitor the list, with a special eye on the companies owning and operating those large systems as they state full HIPAA compliance in their annual reports.

Read the full report.

Category: Breach IncidentsExposureHealth Data

Post navigation

← IE: Liver patients exposed in data breach
Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.