Unsecured servers made it possible to access patient names, birth dates, treatment plans, even high-resolution x-rays and MRIs. Globally, millions of patients are affected.
German ministers are calling for greater data security following news that medical data for more than 13,000 German patients was freely available online for years.
Many of the data sets have names associated with them and more than half contain photos. German public broadcaster Bayerische Rundfunk (BR) and American investigative journalism platform ProPublica published the news on Tuesday.
German Health Minister Jens Spahn was pulled away from his plans for the first ever World Patient Safety Day — also Tuesday — to address the breach.
"The legal requirement is very, very clear," he said in a statement in Berlin. "For every organization in Germany that saves individual patient data, whether it's on a computer at the doctor's office or on a server, data security needs to be guaranteed at every moment. And that was clearly not the case here."
Federal Commissioner for Data Protection Ulrich Kelber also responded, saying, "We don't want this data to end up with an employer, an insurance company, a bank. It makes it more likely you'll be rejected for a job or a credit." It needs to be clarified whether third parties are responsible, he said.
The news affects about 16 million global data sets spanning more than 50 countries. In Germany, the data can be traced to five primary locations, with the largest share coming out of Ingolstadt and the city of Kemp in North Rhine-Westphalia.
Until last week, the data could be accessed online via multiple unsecured servers. One in Bavaria contained data from some 7,000 patients, accessible without a password. The servers are no longer online.
Information security expert Dirk Schrader first discovered the data and alerted journalists at BR.
When an x-ray or MRI machine produces an image, it saves them on a special server to be used for archiving purposes. Schrader found he could easily access private medical data and photos from over 2,300 of these servers.
"For the systems that I checked, I had that the impression that, in a pinch, I could access the image faster than the doctor," he told BR.
BR tested and confirmed Schrader's process and verified the validity of the medical data by contacting a sample of the victims.
As of Tuesday morning, the Federal Office for Information Security was looking into 17 cases and had contacted 3 of the victims. A spokesman for the State Office for Data Security in Bavaria said they are reviewing next steps, including "obvious measures like improved IT security up through the introduction of a financial penalty."
David Emm, security researcher at Kaspersky, says the health sector urgently needs better data security measures. "We assume that, in 2018 alone, 28% of devices in hospitals were attacked."
kp/se (dpa, AFP)