Research teams of the Bayerischer Rundfunk (BR) and the US investigative platform ProRepublica have encountered numerous unsafe servers with personal patient data worldwide. Over the years, unauthorized persons could have accessed it. The journalists randomly contacted those affected and rated the data as genuine.
These include images of breast cancer screening, spinal and X-ray images. The high-resolution recordings are to be provided with personal data such as names and dates of birth, reported the news in a post,
Affected patients worldwide
A total of 16 million data sets are to be affected by patients from 50 countries. There was more than one million data sets from a US radiological survey provider alone.
In Germany, medical data are affected by around 13,000 patients from five different locations. The majority comes from the report according to Ingolstadt and Kempen in North Rhine-Westphalia. Meanwhile, the data should no longer be accessible.
Cause of the data leak
To blame for basically retrievable data for anyone are insecure configured Picture Archiving and Communication System Server (PACS). These serve, among other things, as a collection point for X-rays and images from computed tomography.
Unprotected servers are unfortunately not uncommon and it happens again and again that databases with personal data are publicly accessible over the Internet. Admins of such servers should absolutely ensure that data is only available when absolutely necessary via the public Internet. If this is indispensable, remote access must be secured with at least one password. Even better is access via a secure and encrypted VPN connection. When transmitting such sensitive data, it should be a matter of course.
Those who refuse to follow rules shall feel the consequences
The Federal Commissioner for Data Protection Ulrich Kelber, spoke of a "devastating first impression". According to current knowledge, two hospitals are affected in Germany, said Kelber the German Press Agency. It must now be clarified whether possibly also third party providers are responsible. It is not excluded that there will be large fines, said Kelber.
Already in 2016 there were first reports about insecure configured PACS servers. Obviously, nobody was interested and those responsible did not act. (with dpa material) /
. (tagsToTranslate) Data leaks (t) Medical data (t) insecure servers