Thousands of NHS medical images found ‘unprotected’ on web

An investigation has been launched after thousands of patients medical images were found accessible on the internet.

Six UK systems storing x-rays, MRI and CT scans were found to be allowing unprotected access to anyone with a web browser, according to German security firm Greenbone Networks.

Some 1,500 patient records were publicly accessible due to “careless configuration” of these systems, along with more than 5,000 medical images. More than 13,000 medical images in the UK were found to be unprotected.

The Information Commissioner’s Office (ICO) and the NHS are investigating.

Using RadiAnt DICOM (digital imaging and communications in medicine) Viewer, an application easily accessible to download on the internet, security experts were able to download and view the patient information.

The vast majority of information discovered in the global study including names; date of birth; date of examination; scope of the examination; type of imaging procedure undertaken; attending physician; institute or clinician; and number of images taken.

In total about 24.3 million data records worldwide were found to be unprotected.

The researchers “did not have to write any special code” to access the patient data, nor was any software vulnerability “exploited”, they said.

To view and download the data, all that was needed was a list of IPs and a DICOM viewer.

“This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted,” said Greenbone Networks.

“Even regular, everyday internet users could gain access with a few simple actions.”

In some cases, the PACS (picture archiving and communication system) servers even allowed patient data and images to be viewed via http and a web browser.

“This data could be exploited by attackers for various purposes,” the report warned.

“These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as social security numbers, in preparation for identity theft.”

NHS Digital confirmed it was investigating the matter and would “support any NHS organisations that may be affected”.

“We are aware of this report and have contacted the authors to ask them to provide additional technical detail, which we are investigating,” a spokesperson said.

“NHS organisations are responsible for their own technology and cyber security with our role being to provide advice, guidance and specialist expertise to support organisations to make good decisions around data security and to help them to keep patient information safe.”

A spokesperson for the ICO said: “The ICO are in contact with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), as the relevant data protection authority in Germany, about this matter.

“The ICO will continue to liaise with the data protection authority and partner authorities to establish the details of the incident and to ensure the protection of UK citizens data.”

READ MORE:

• London gender identity clinic investigating ‘data security incident’
• Period tracking apps caught sharing medical data with Facebook
• NHS Digital launches IT security awareness campaign