The healthcare industry’s digital expansion may be exposing more than it protects. How would you feel if strangers online saw your MRI scan and knew your diagnosis, maybe even before you did?
That’s not a hypothetical, it’s already happening.
New research from Modat shows that more than 1.2 million internet-connected healthcare devices and systems are publicly accessible online, leaking private patient data (from brain scans to blood tests) through basic security lapses.
Many of these devices are misconfigured, poorly secured, or running on outdated software. Some don’t require authentication at all. Others are protected by default or weak passwords like “admin” or “123456.”
Highly sensitive medical information, including names, diagnoses, and diagnostic imaging, is being exposed to anyone with the right search tools.
Confidential by Design, Public by Mistake
Using a tool called Modat Magnify, researchers scanned the internet for devices tagged with “HEALTHCARE.” The results were alarming. The platform, designed for cybersecurity professionals, maps connected devices and assigns them a unique profile for vulnerability and configuration management.
The Magnify query returned details on more than 1.2 million healthcare-related devices. While some could be honeypots, the sheer volume raises red flags.
Among the exposed data:
- Skull X-rays linked to patient names
- Lung MRIs with identifying details
- Eye exam results from opticians
- Bloodwork and diagnostic vitals
- Editable optical scan files
Some systems lacked authentication altogether. Others used default settings provided by manufacturers. And many hadn’t been patched against known vulnerabilities.
According to Soufian El Yadmani, Founder and CEO of Modat: “This represents a significant and pervasive challenge with global implications. Our research has identified substantial numbers of exposed healthcare systems, and this trend continues to expand as we conduct more analysis. The scale and accessibility of these vulnerabilities suggest that malicious actors likely possess the same capabilities, creating considerable risk for the healthcare sector.”
He says these vulnerabilities enable targeted attacks on specific systems to access sensitive data. “The potential for unauthorized access to medical records, diagnostic imaging, or clinical documentation of people, including high-profile individuals, presents significant security and privacy risks. Beyond data theft, the possibility of data manipulation poses even greater concerns. Such information represents a valuable target for various threat actors seeking to exploit personal health data for malicious purposes.”
Global Exposure
The scan identified vulnerable systems in over 100 countries. Among the worst affected were:
- United States (174K+)
- South Africa (172K+)
- Australia (111K+)
- Brazil (82K+)
- Germany (81K+)
- Ireland (81K+)
- Great Britain (77K+)
- France (75K+)
- Sweden (74K+)
- Japan (48K+)
In some cases, full patient records were accessible from the device interface, no password required.
The reasons are manifold. As the report notes, setting up medical equipment often involves connecting to networks. That may include the internet, even when it’s not needed. Combined with weak passwords, unpatched software, or legacy systems, this creates fertile ground for attack.
A Doorway to Greater Risk
While data leaks are damaging enough, the real danger lies in what happens next. Many of these exposed devices serve as potential gateways to hospital networks. Once inside, attackers could deploy ransomware or disrupt services, knowing full well that downtime in healthcare isn’t an option.
Errol Weiss, Chief Security Officer at Health-ISAC, added: “The findings from Modat underscore a critical and pervasive challenge facing healthcare globally. We consistently emphasize that cybersecurity is inextricably linked to patient safety and operational continuity. This research reinforces the urgent need for comprehensive asset visibility, robust vulnerability management, and a proactive approach to securing every internet-connected device in healthcare environments, ensuring that sensitive patient data remains protected from unauthorized access and potential exploitation.”
Modat worked closely with Health-ISAC to handle the findings responsibly, sharing details with impacted organizations. The firm also coordinated with Z-CERT, a cybersecurity response group focused on healthcare in the Netherlands.
Wim Hafkamp, Director of Z-CERT, commented: “At Z-CERT we closely monitor cyber threats and vulnerable systems within the healthcare sector. At the same time, we truly value external researchers like Modat who work with us and help identify potential risks. These extra sets of eyes help us keep Dutch healthcare digitally secure. Thanks to their findings we have been able to inform and advise several healthcare organizations in the Netherlands.”
So What’s the Fix?
The healthcare sector must treat cybersecurity as a core part of patient safety, not a side concern. That means:
- Limiting internet exposure to only what is strictly necessary
- Maintaining up-to-date inventories of all connected devices
- Replacing default passwords with strong, unique ones
- Patching systems promptly, even when that means taking them offline
- Monitoring continuously for drift, misconfigurations, and new vulnerabilities
As El Yadmani warned: “The primary risk is unnecessary network exposure. These medical systems should only be connected to secure, properly configured networks when there is a legitimate clinical need for remote access. While remote MRI operations are becoming more common to address staffing shortages and provide specialized expertise, many systems remain exposed to the internet without adequate cybersecurity measures. The question we should be asking is: Why are there MRI scanners with internet connectivity that lack proper security measures?”
The lesson is obvious: private health data isn’t private if it’s connected without protection. Until that changes, the most vulnerable patient isn’t just in the hospital, they’re already online.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.