Research by ProPublica and Bayerischer Rundfunk has shown that around 16 million patient records have been freely accessible on the Internet for years. Anyone could gain access to the sensitive data.
The data records mainly contained X-ray, MRT and CT images. In addition to these, access to the personal data of the patients was also possible – for example, names, addresses and birth dates were disclosed. The sensitive data was stored on so-called PACS servers. Medical images obtained using imaging techniques are stored on such servers.
It has been known for some time that these servers are not particularly well secured. Prof. Dr. Oleg Pianykh, Professor of Radiology at the Harvard Medical School, for example, already drew attention to the situation in 2016. To all appearances there was no response. While Pianykh still spoke of 2,700 accessible data sets in 2016, today we are talking about more than 16 million. Approximately 13,000 of these data sets come from patients in Germany.
Security expert Dirk Schrader drew the attention of the journalists researching the matter to the abuses and also informed the Federal Office for Information Security. The latter contacted three affected institutions and informed some of the providers concerned. In addition, it contacted IT security authorities in 46 other countries.
According to the Basic Data Protection Ordinance, persons whose data are affected by security breaches must be informed by the responsible server operators. Whether, when and in what form this will actually happen is still unclear. However, German politicians have already spoken out and called for strict handling of sensitive data.