Sensitive medical data from millions of patients worldwide was available on openly accessible servers in the network, sometimes for years. The reports of the Bayerischer Rundfunk (BR), according to which 13,000 of the discovered data sets come from German patients. More than half of these records are said to have included medical images such as breast cancer screening, spine images and x-rays - sometimes in conjunction with names, dates of birth and dates of examinations.
According to BR data, the data came from Germany, partly still available last week. They came from at least five locations according to the report. The largest part of the data sets can be assigned to patients from the area Ingolstadt and from Kempen in North Rhine-Westphalia, it is said.
The BR had researched the issue together with the US portal "ProPublica", the authenticity of the data were the journalists randomly confirmed by affected patients. The reason for the transatlantic cooperation was a hint from Dirk Schrader: the information security expert had found more than 2300 servers worldwide, on which patient data stored unprotected.
In practical terms, it does not seem to have been a single major data leak, but a large number of unprotected computers. Schrader, according to the BR, has also made the Federal Office for Information Security (BSI) aware of its discovery.
A total of 16 million records
Overall, the data security problem should affect around 50 countries, reports the BR, from Brazil to Turkey to India. Particularly affected are patients from the USA. "For a single supplier of radiological examinations alone, more than a million data sets of patients were available, according to an evaluation of ProPublica," they say.
According to the report, the data are often images derived from magnetic resonance imaging (MRI). Two-dimensional and three-dimensional images of the patient's body are created in the MRI tube. These images would be sent to special servers by the archival devices, reports the BR. Also X-rays and images from computer tomography would land on such - in many cases apparently not sufficiently protected - servers.
The Federal Commissioner for Data Protection, Ulrich Kelber, spoke of a "devastating first impression". According to current knowledge, two hospitals are affected in Germany, said Kelber the news agency dpa. It must now be clarified whether possibly also third party providers are responsible. It is not excluded that high fines are imposed, so Kelber.