More than 1 billion medical images -- approximately half of which are from U.S. patients -- remain unsecured and accessible using publicly available software, according to new reporting by TechCrunch and Heavy.com in collaboration with German security firm Greenbone Networks. And the problem is only getting worse.
In September, Greenbone Networks discovered that 24.5 million patient exams and 737 million images were available online worldwide. By November, 35 million patient studies (up 40%) and 1.19 billion images (up 60%) were found to be publicly accessible.
"60 days later, the overall status of unprotected PACS [servers] around the globe isn't getting better," Greenbone wrote in a blog post. "The situation is the U.S. seems to be an unstoppable information security and data privacy disaster."
Number of unsecured images by U.S. state. Graphic courtesy of Greenbone Networks.
In addition to finding a "disturbing" increase in aggregate numbers of unsecured imaging data in the U.S., Greenbone said it found some "alarming" datasets stored in unprotected PACS. For example, one large archive allows full access to protected health information, including all images related to 1.2 million imaging exams. What's more, 75% of the individual names stored in the archive also displayed Social Security numbers, according to the firm.
"The potential risk for medical identity theft for the affected individuals sums up to about $3.3 billion," Greenbone wrote. "That amount is almost two-third of the overall financial risk calculated for this type of exploitation and the PACS identified."
Furthermore, Greenbone found another archive that appears to hold imaging data from military personnel, including their U.S. Department of Defense identification and the names of the institutions.
"Although the number of datasets isn't huge, the fact itself provides for means of exploitation," Greenbone wrote.
During its investigation, TechCrunch found a number of U.S. imaging centers storing decades of patient imaging exams. The website reported that after Greenbone contacted more than 100 organizations last month about their exposed servers, many of the smaller practices secured their systems -- yielding a small decline in the overall number of exposed images. However, Greenbone received no response from the 10 largest organizations, which accounted for approximately 20% of all exposed medical images, according to TechCrunch.
After following up with each of the organizations one month later, TechCrunch found that only one -- Alliance Radiology partner Northeast Radiology -- had secured its PACS server. That server held 61 million images from approximately 1.2 million patients and represented the largest cache of exposed medical data in the U.S., according to TechCrunch.
If the remaining affected organizations took their exposed systems offline, almost 600 million images would "disappear" from the Internet, Greenbone's Dirk Schrader told TechCrunch. TechCrunch said it wasn't disclosing the names of the other nine organizations in order to limit the risk of exposed patient data.
