A German security firm has identified hundreds of unprotected PACS servers around the world that store millions of medical images and related patient information. Although more than half of those exposed data records were on servers in the U.S., a substantial number were also found among European countries.
The analysis, which was performed by Greenbone Networks between mid-July 2019 and early September 2019, showed that 590 of the 2,300 archive systems worldwide were accessible on the internet via web browser or free software programs. These contained 24 million data records from patients around the world -- including 19 European countries -- and more than 737 million images linked to the data records. Of these 737 million images, 400 million could easily be downloaded.
Furthermore, 39 systems -- including one in Switzerland -- were completely unprotected, enabling access to patient data via an unencrypted hypertext transfer protocol (HTTP) web viewer.
"The sum of these data leaks of unprotected patient data available on the internet is one of the largest data glitches worldwide to date," researchers from Greenbone wrote in their report. "52 countries around the world are affected, including all leading economic nations and the most populous countries in the world."
The vast majority of the accessible data records included information protected by the European Union's General Data Protection Regulation: patient name, birth date, examination date, scope of the investigation, type of imaging procedure, attending physician, institute/clinic, and the number of generated images, according to Greenbone.
| Open image servers by European country, ranked by No. of accessible data records for imaging studies | ||||
| European country | Systems allowing unprotected access via DICOM | No. of accessible imaging study data records | No. of images linked to imaging study data records | No. of accessible images |
| Turkey | 36 | 4,924,141 | 179,533,940 | 178,283,858 |
| Slovakia | 1 | 127,636 | 382,908 | 0 |
| Italy | 10 | 102,893 | 5,843,319 | 1,174,600 |
| Czech Republic | 2 | 97,997 | 674,686 | 0 |
| France | 7 | 47,662 | 5,275,222 | 2,668,170 |
| Serbia | 1 | 30,484 | 15,242,000 | 15,242,000 |
| Bulgaria | 2 | 27,058 | 40,977 | 40,977 |
| Spain | 1 | 17,662 | 52,986 | 0 |
| Germany | 6 | 15,310 | 2,859,595 | 1,394.845 |
| Netherlands | 3 | 11,270 | 113,408 | 113,408 |
| Greece | 2 | 10,211 | 2,557,600 | 2,557,600 |
| Russian Federation | 5 | 9,858 | 887,042 | 25,000 |
| Portugal | 3 | 5,766 | 1,581,101 | 1,581,100 |
| Cyprus | 1 | 3,459 | 1,124,175 | 1,124,175 |
| U.K. | 6 | 1,571 | 13,335 | 5,070 |
| Switzerland | 2 | 1,541 | 231,840 | 231,840 |
| Ukraine | 1 | 1,139 | 199,325 | 199,325 |
| Albania | 1 | 200 | 1,000 | 0 |
| Romania | 1 | 67 | 737 | 0 |
On the bright side, only one country -- Switzerland -- had a system that allowed unprotected access to patient data via either a DICOM web viewer, unencrypted file transfer protocol (FTP) service, downloading of complete DICOM archives via HTTP, or a directory listing in the web browser for the DICOM archive files.
Public attention
After performing its initial analysis, Greenbone shared its findings with German public broadcaster Bayerischer Rundfunk, which then teamed up with nonprofit journalism organization ProPublica on a collaborative investigation and report. They scanned the IP addresses of the unprotected servers and attempted to identify which medical provider they belonged to and determined how many patients could be affected.
They also found that some servers were running outdated operating systems with known security vulnerabilities. The organizations reported that most cases of unprotected data involved independent radiologists, medical imaging centers, or archiving services; large hospital chains and academic medical centers had security protections in place. In good news, no evidence was found that patient data had been copied from the open systems and published elsewhere.
The Greenbone report and subsequent investigation by Bayerischer Rundfunk and ProPublica has also triggered investigations by the U.K. National Health Service (NHS) and the Information Commissioner's Office, according to a report published 29 September in the Times.
Recommendations
These vulnerabilities are caused by a faulty configuration of the infrastructure and the server, rather than a PACS software issue. As a result, the Greenbone researchers suggested several possibilities for remedying the problem:
- Access control lists for all Internet Protocol (IP) addresses and/or port filters
- Access control through the implementation of authentication, authorization, and accounting (AAA) systems
- Virtual private network (VPN) access for selected persons/institutions
- Detailed configuration of application entity (AE) titles
"These measures could make accessing the systems more difficult, or prevent access altogether," the authors wrote. "In doing so, however, it is important to consider which authorized authorities require access to the data, such as hospital associations or general practitioners."
The Greenbone team also acknowledged that each individual site may not be able to implement all of the available solutions.
"However, according to our observations, there is no case in which a higher degree of security would not be worthwhile," the authors wrote. "A comprehensive and repeated inventory of IT systems and their vulnerabilities within an organization is the best way to uncover such flawed configurations."
![Overview of the study design. (A) The fully automated deep learning framework was developed to estimate body composition (BC) (defined as subcutaneous adipose tissue [SAT] in liters; visceral adipose tissue [VAT] in liters; skeletal muscle [SM] in liters; SM fat fraction [SMFF] as a percentage; and intramuscular adipose tissue [IMAT] in deciliters) from MRI. The fully automated framework comprised one model (model 1) to quantify different BC measures (SAT, VAT, SM, SMFF, and IMAT) as three-dimensional (3D) measures from whole-body MRI scans. The second model (model 2) was trained to identify standardized anatomic landmarks along the craniocaudal body axis (z coordinate field), which allowed for subdividing the whole-body measures into different subregions typically examined on clinical routine MRI scans (chest, abdomen, and pelvis). (B) BC was quantified from whole-body MRI in over 66,000 individuals from two large population-based cohort studies, the UK Biobank (UKB) (36,317 individuals) and the German National Cohort (NAKO) (30,291 individuals). Bar graphs show age distribution by sex and cohort. BMI = body mass index. (C) After the performance assessment of the fully automated framework, the change in BC measures, distributions, and profiles across age decades were investigated. Age-, sex-, and height-adjusted body composition reference curves were calculated and made publicly available in a web-based z-score calculator (https://circ-ml.github.io).](https://img.auntminnieeurope.com/mindful/smg/workspaces/default/uploads/2026/05/body-comp.XgAjTfPj1W.jpg?auto=format%2Ccompress&dpr=2&fit=crop&h=167&q=70&w=250)
