top of page

Exposed to the Bare Bone: When Private Medical Scans Surface on the Internet 

Updated: Aug 13

Over 1.2 Million Healthcare Devices and Systems Available on the Open Internet


How would you feel if strangers online saw your MRI scan and knew your diagnosis, maybe even before you did?  


Figure 1: Skull X-ray with Protected Health Information (PHI) accessed on the open Internet
Figure 1: Skull MRI with Protected Health Information (PHI) accessed on the open Internet 

You’ve just had an MRI. Naturally, you assume that your results will remain confidential and protected. What happens if there is a vulnerability in the medical system made to aid your doctor with their evaluation and your most sensitive scan, diagnosis, even your personally identifiable information (PII) can be accessed online?  


New research by European cybersecurity company Modat reveals that misconfigured internet-connected devices are resulting in private information that can be accessed online. Confidential medical images, including MRI scans, X-rays, and even blood work results of hospital patients worldwide, are being exposed online due to cybersecurity vulnerabilities in healthcare networks and devices. 


Examples of data being leaked in this way include brain scans and X-rays, stored alongside protected health information and personally identifiable information of the patient, potentially representing both a breach of patient’s confidentiality and privacy. 

In the worst-case scenario, leaked sensitive medical information could leave unsuspecting victims open to fraud or even blackmail over a confidential medical condition. 


Figure 2: Confidential MRI scan of chest, lungs, and leg along with patient details
Figure 2: Confidential X-ray scan of chest, lungs, and leg along with patient details

Figure 3: Clickable List of Patient Body Scans and their Personal Information
Figure 3: Clickable List of Patient Body Scans and their Personal Information

The misconfigured and vulnerable devices were identified using Modat Magnify Designed by and for cybersecurity professionals, Modat Magnify identifies and catalogues internet-connected devices, providing each with a unique profile in the database to help with vulnerability and configuration management. 


By running a Modat Magnify query using the ‘device DNA’ tag HEALTHCARE, researchers were able to identify information on 1.2M+ devices available to the open internet. While this data may include honeypots, the results remain alarming. Many are at risk due to security vulnerabilities or misconfigurations, and in some cases because they lack proper authentication. Query results show details about device type, IP addresses, and geographic location, among others.


From a geographic scope the 10 countries with the highest numbers (as of scan date) were:  

  • United States (174K+)  

  • South Africa (172K+) 

  • Australia (111K+) 

  • Brazil (82K+) 

  • Germany (81K+) 

  • Ireland (81K+) 

  • Great Britain (77K+) 

  • France (75K+)  

  • Sweden (74K+) 

  • Japan (48K+)  

Figure 4: Map of Impact
Figure 4: Map of Impact

Researchers were then able to get more specific with the data, for example, by searching for devices identified as MRI scanners with unintended access points.  


Due to scanners that weren't configured securely, researchers uncovered and identified brain scan images, complete with patients' names and scan dates. Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients who are suffering from lung cancer. A shockingly wide number of exposed medical documents. 

 

In some cases, these systems aren’t using any authentication methods at all, while in other cases, some authentication is used but with weak or default credentials set by the manufacturer. Others were misconfigured which allowed access more than it should have, to systems that are vulnerable to zero days or known exploits. Others were simply legacy systems that are still being used, despite being out of support. 


TLP AMBER: STRICT NOT FOR RELEASE - UNDER EMBARGO Exposed to the Bare Bone: When Private Medical Scans Surface on the Internet ​ Over 1.2 Million Healthcare Devices and Systems Available on the Open Internet How would you feel if strangers online saw your MRI scan and knew your diagnosis, maybe even before you did? ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ Figure 1: Skull X-ray with Protected Health Information (PHI) accessed on the open Internet You’ve just had an MRI. Naturally, you assume that your results will remain confidential and protected. What happens if there is a vulnerability in the medical system made to aid your doctor with their evaluation and your most sensitive scan, diagnosis, even your personally identifiable information (PII) can be accessed online? New research by European cybersecurity company Modat reveals that misconfigured internet-connected devices are resulting in private information that can be accessed online. Confidential medical images, including MRI scans, X-rays, and even blood work results of hospital patients worldwide, are being exposed online due to cybersecurity vulnerabilities in healthcare networks and devices. Examples of data being leaked in this way include brain scans and X-rays, stored alongside protected health information and personally identifiable information of the patient, potentially representing both a breach of patient’s confidentiality and privacy. In the worst-case scenario, leaked sensitive medical information could leave unsuspecting victims open to fraud or even blackmail over a confidential medical condition. Figure 2: Confidential MRI scan of chest, lungs, and leg along with patient details ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Figure 3: Clickable List of Patient Body Scans and their Personal Information ​​ The misconfigured and vulnerable devices were identified using Modat Magnify Designed by and for cybersecurity professionals, Modat Magnify identifies and catalogues internet-connected devices, providing each with a unique profile in the database to help with vulnerability and configuration management. By running a Modat Magnify query using the ‘device DNA’ tag HEALTHCARE, researchers were able to identify information on 1.2M+ devices available to the open internet. While this data may include honeypots, the results remain alarming. Many are at risk due to security vulnerabilities or misconfigurations, and in some cases because they lack proper authentication. Query results show details about device type, IP addresses, and geographic location, among others. ​​ From a geographic scope the 10 countries with the highest numbers (as of scan date) were: United States (174K+) South Africa (172K+) Australia (111K+) Brazil (82K+) Germany (81K+) Ireland (81K+) Great Britain (77K+) France (75K+) Sweden (74K+) Japan (48K+) Figure 4: Map of Impact Researchers were then able to get more specific with the data, for example, by searching for devices identified as MRI scanners with unintended access points. Due to scanners that weren't configured securely, researchers uncovered and identified brain scan images, complete with patients' names and scan dates. Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients who are suffering from lung cancer. A shockingly wide number of exposed medical documents. In some cases, these systems aren’t using any authentication methods at all, while in other cases, some authentication is used but with weak or default credentials set by the manufacturer. Others were misconfigured which allowed access more than it should have, to systems that are vulnerable to zero days or known exploits. Others were simply legacy systems that are still being used, despite being out of support. ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​​Figure 5: Modat Magnify Query Results Page with 1.2M+ results
Figure 5: Modat Magnify Query Results Page with 1.2M+ results

TLP AMBER: STRICT NOT FOR RELEASE - UNDER EMBARGO Exposed to the Bare Bone: When Private Medical Scans Surface on the Internet ​ Over 1.2 Million Healthcare Devices and Systems Available on the Open Internet How would you feel if strangers online saw your MRI scan and knew your diagnosis, maybe even before you did? ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ Figure 1: Skull X-ray with Protected Health Information (PHI) accessed on the open Internet You’ve just had an MRI. Naturally, you assume that your results will remain confidential and protected. What happens if there is a vulnerability in the medical system made to aid your doctor with their evaluation and your most sensitive scan, diagnosis, even your personally identifiable information (PII) can be accessed online? New research by European cybersecurity company Modat reveals that misconfigured internet-connected devices are resulting in private information that can be accessed online. Confidential medical images, including MRI scans, X-rays, and even blood work results of hospital patients worldwide, are being exposed online due to cybersecurity vulnerabilities in healthcare networks and devices. Examples of data being leaked in this way include brain scans and X-rays, stored alongside protected health information and personally identifiable information of the patient, potentially representing both a breach of patient’s confidentiality and privacy. In the worst-case scenario, leaked sensitive medical information could leave unsuspecting victims open to fraud or even blackmail over a confidential medical condition. Figure 2: Confidential MRI scan of chest, lungs, and leg along with patient details ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Figure 3: Clickable List of Patient Body Scans and their Personal Information ​​ The misconfigured and vulnerable devices were identified using Modat Magnify Designed by and for cybersecurity professionals, Modat Magnify identifies and catalogues internet-connected devices, providing each with a unique profile in the database to help with vulnerability and configuration management. By running a Modat Magnify query using the ‘device DNA’ tag HEALTHCARE, researchers were able to identify information on 1.2M+ devices available to the open internet. While this data may include honeypots, the results remain alarming. Many are at risk due to security vulnerabilities or misconfigurations, and in some cases because they lack proper authentication. Query results show details about device type, IP addresses, and geographic location, among others. ​​ From a geographic scope the 10 countries with the highest numbers (as of scan date) were: United States (174K+) South Africa (172K+) Australia (111K+) Brazil (82K+) Germany (81K+) Ireland (81K+) Great Britain (77K+) France (75K+) Sweden (74K+) Japan (48K+) Figure 4: Map of Impact Researchers were then able to get more specific with the data, for example, by searching for devices identified as MRI scanners with unintended access points. Due to scanners that weren't configured securely, researchers uncovered and identified brain scan images, complete with patients' names and scan dates. Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients who are suffering from lung cancer. A shockingly wide number of exposed medical documents. In some cases, these systems aren’t using any authentication methods at all, while in other cases, some authentication is used but with weak or default credentials set by the manufacturer. Others were misconfigured which allowed access more than it should have, to systems that are vulnerable to zero days or known exploits. Others were simply legacy systems that are still being used, despite being out of support. ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​​​ Figure 5: Modat Magnify Query Results Page with 1.2M+ results ​ ​ Figure 6: Clickable List of Optical Results and their Personal Information w Editing Capabilities ​
Figure 6: Clickable List of Optical Results and their Personal Information w Editing Capabilities

Figure 7: Clickable List of Optical Results and their Personal Information w Editing Capabilities
Figure 7: Clickable List of Optical Results and their Personal Information w Editing Capabilities

TLP AMBER: STRICT NOT FOR RELEASE - UNDER EMBARGO Exposed to the Bare Bone: When Private Medical Scans Surface on the Internet ​ Over 1.2 Million Healthcare Devices and Systems Available on the Open Internet How would you feel if strangers online saw your MRI scan and knew your diagnosis, maybe even before you did? ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ Figure 1: Skull X-ray with Protected Health Information (PHI) accessed on the open Internet You’ve just had an MRI. Naturally, you assume that your results will remain confidential and protected. What happens if there is a vulnerability in the medical system made to aid your doctor with their evaluation and your most sensitive scan, diagnosis, even your personally identifiable information (PII) can be accessed online? New research by European cybersecurity company Modat reveals that misconfigured internet-connected devices are resulting in private information that can be accessed online. Confidential medical images, including MRI scans, X-rays, and even blood work results of hospital patients worldwide, are being exposed online due to cybersecurity vulnerabilities in healthcare networks and devices. Examples of data being leaked in this way include brain scans and X-rays, stored alongside protected health information and personally identifiable information of the patient, potentially representing both a breach of patient’s confidentiality and privacy. In the worst-case scenario, leaked sensitive medical information could leave unsuspecting victims open to fraud or even blackmail over a confidential medical condition. Figure 2: Confidential MRI scan of chest, lungs, and leg along with patient details ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Figure 3: Clickable List of Patient Body Scans and their Personal Information ​​ The misconfigured and vulnerable devices were identified using Modat Magnify Designed by and for cybersecurity professionals, Modat Magnify identifies and catalogues internet-connected devices, providing each with a unique profile in the database to help with vulnerability and configuration management. By running a Modat Magnify query using the ‘device DNA’ tag HEALTHCARE, researchers were able to identify information on 1.2M+ devices available to the open internet. While this data may include honeypots, the results remain alarming. Many are at risk due to security vulnerabilities or misconfigurations, and in some cases because they lack proper authentication. Query results show details about device type, IP addresses, and geographic location, among others. ​​ From a geographic scope the 10 countries with the highest numbers (as of scan date) were: United States (174K+) South Africa (172K+) Australia (111K+) Brazil (82K+) Germany (81K+) Ireland (81K+) Great Britain (77K+) France (75K+) Sweden (74K+) Japan (48K+) Figure 4: Map of Impact Researchers were then able to get more specific with the data, for example, by searching for devices identified as MRI scanners with unintended access points. Due to scanners that weren't configured securely, researchers uncovered and identified brain scan images, complete with patients' names and scan dates. Using the same method, they accessed a range of other medical images: eye exams from opticians, dental X-rays, blood test results, and even detailed lung MRIs commonly used to aid patients who are suffering from lung cancer. A shockingly wide number of exposed medical documents. In some cases, these systems aren’t using any authentication methods at all, while in other cases, some authentication is used but with weak or default credentials set by the manufacturer. Others were misconfigured which allowed access more than it should have, to systems that are vulnerable to zero days or known exploits. Others were simply legacy systems that are still being used, despite being out of support. ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​​​ Figure 5: Modat Magnify Query Results Page with 1.2M+ results ​ ​ Figure 6: Clickable List of Optical Results and their Personal Information w Editing Capabilities ​​ ​ ​ ​ ​ ​ ​ ​ Figure 7: Clickable List of Optical Results and their Personal Information w Editing Capabilities ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Figure 8: Bloodwork results including vitals and biometrics of patient
Figure 8: Bloodwork results including vitals and biometrics of patient 

Not only is there the risk that vulnerable systems could allow cyber criminals to access and steal sensitive medical data, there’s also the very real threat of misconfigured medical devices acting as a gateway to the network for a significant incident like a ransomware attack - especially when attackers target healthcare - because they know hospitals can’t afford to be out of service. 


"This represents a significant and pervasive challenge with global implications. Our research has identified substantial numbers of exposed healthcare systems, and this trend continues to expand as we conduct more analysis. The scale and accessibility of these vulnerabilities suggest that malicious actors likely possess the same capabilities, creating considerable risk for the healthcare sector," said Soufian El Yadmani, Founder and CEO of Modat. 


"These vulnerabilities enable targeted attacks on specific systems to access sensitive data. The potential for unauthorized access to medical records, diagnostic imaging, or clinical documentation of people, including high-profile individuals, presents significant security and privacy risks. Beyond data theft, the possibility of data manipulation poses even greater concerns. Such information represents a valuable target for various threat actors seeking to exploit personal health data for malicious purposes." 

Reasons why devices are vulnerable 


  • Misconfigurations and insecure management settings: Setting up a network to be operational can be a complex challenge, especially with new devices and applications being added all the time. This complexity can create issues around misconfiguration. In a connected world, IT administrators are used to connecting everything to the internet. With specialist healthcare devices, this isn’t necessarily the case – but the default strategy for setting up equipment may involve connecting it to the internet, leaving the device and the data on it exposed. Depending on what other settings have been changed, devices that have no need to be accessible could find themselves directly facing the internet, open to anyone who wants to find them.


  • Default or weak passwords: Many medical devices arrive with a default password. For one reason or another, IT teams don’t change these, even though some devices share the same default password when they’re shipped. It only takes one of those default passwords to be exposed online for every other device user still using the same password to be at risk. This issue also arises when weak or common passwords are used. Some example passwords used included: admin, demo, secret, 123456, 123456789, and manufacturing credentials that are available online. Administrators might use a simple password for ease of access, but commonly used passwords are easy to guess and easy to brute-force, potentially providing outsiders with access to sensitive information.


  • Unpatched vulnerabilities in firmware or software: Security vulnerabilities are discovered in software regularly. They can range from critical to trivial, but no matter the severity, there’s the risk that attackers can exploit vulnerabilities for their gain. It’s why application and device manufacturers release security patches for their products. But sometimes, the patch doesn’t get applied - especially in medical environments, where taking systems offline to apply an update can feel impossible. There’s also the risk of applications and software reaching end-of-life, meaning that even if a vulnerability is discovered, a patch won’t be released. These are prime targets for attackers.   


Figure 9 - Ribcage Scan Showing Detailed Diagnostic Results and with Patient Details
Figure 9: Ribcage Scan Showing Detailed Diagnostic Results and with Patient Details

Figure 10: Different Angle Diagnostic Patient Scans with Identifying Patient Information
Figure 10: Different Angles of Diagnostic Patient Scans with Identifying Patient Information

The Solution 

The healthcare industry's cybersecurity challenges offer several critical lessons that can transform how the sector approaches security. Firstly, security is a patient safety issue, not just an IT concern. A proactive security culture beats a reactive response. Modat engaged in responsible disclosure by reaching out to several relevant organizations, including Health-ISAC and Z-CERT in the Netherlands.


Errol Weiss, Chief Security Officer at Health-ISAC said that "the findings from Modat underscore a critical and pervasive challenge facing healthcare globally. We consistently emphasize that cybersecurity is inextricably linked to patient safety and operational continuity. This research reinforces the urgent need for comprehensive asset visibility, robust vulnerability management, and a proactive approach to securing every internet-connected device in healthcare environments, ensuring that sensitive patient data remains protected from unauthorized access and potential exploitation."


Modat also worked with Health-ISAC to serve as a trusted responsible disclosure agent for the initial findings from this report.  Health-ISAC publishes hundreds of Targeted Alerts every year to organizations globally warning them of high risks specific to their network — including things like vulnerable servers, cyber criminals selling access to their networks, stolen intellectual property, compromised credentials, exposed medical devices, open RDP ports and more.


CERTs (Computer Emergency Response Teams) are organizations who take a proactive approach toward digital security. In the Netherlands, Z-CERT is active in the effort to prevent and reduce the impact of cyber incidents in healthcare. This can include protection of patient data, ensuring continuity of care, and defending against cyberattacks.


 "At Z-CERT we closely monitor cyber threats and vulnerable systems within the healthcare sector. At the same time, we truly value external researchers like Modat who work with us and help identify potential risks,” said Wim Hafkamp, Director of Z-CERT. “These extra sets of eyes help us keep Dutch healthcare digitally secure. Thanks to their findings we have been able to inform and advise several healthcare organizations in the Netherlands." 


The first thing you need to worry about is your exposure; it’s always less risky when you are not exposed. If you are exposed, that’s already a big problem.


"The primary risk is unnecessary network exposure. These medical systems should only be connected to secure, properly configured networks when there is a legitimate clinical need for remote access. While remote MRI operations are becoming more common to address staffing shortages and provide specialized expertise, many systems remain exposed to the internet without adequate cybersecurity measures,” El Yadmani stated. “The question we should be asking is: Why are there MRI scanners with internet connectivity that lack proper security measures?” 

  

Organizations must implement regular security assessments and maintain comprehensive asset inventories, as personnel changes and operational modifications can introduce configuration drift and security gaps. Continuous monitoring of network-connected devices is essential to identify potential exposures, misconfigurations, or emerging vulnerabilities. By doing that, healthcare facilities can significantly reduce their cybersecurity risk profile. 


About Modat 

Founded in 2024, Modat is a European research-driven cybersecurity company focused on strengthening cyber resilience for individuals, companies, and governments. Our flagship platform, Modat Magnify, leverages the world’s largest Internet “Device DNA” dataset to fingerprint and catalogue every internet connected device creating a unique profile, enabling faster threat intelligence. 


Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Our products enable the security community by giving access to unparalleled speed, contextualized data, and predictive insights.  We are actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast. 


>> Learn more by visiting modat.io and to access the platform visit magnify.modat.io 


Visit: 

bottom of page