European cybersecurity firm Modat has reported that over 1.2 million internet-connected healthcare devices and systems have cybersecurity vulnerabilities that are exposing patient data. Results are drawn from across Europe, the United States, the Middle East and North Africa (MENA). The firm found 81K+ exposed systems in Ireland, and 77K+ in the United Kingdom.

Its findings were drawn from across 70+ different types of medical devices and systems. These include MRI, CT, X-rays, DICOM viewers, blood test systems, hospital management systems, and other medical systems.

According to the company, reasons for vulnerable devices are mis-configurations and insecure management settings, default or weak passwords, unpatched vulnerabilities in firmware or software.

The company discovered many systems lacked even basic authentication. Some used factory-default or weak passwords like, “admin” or “123456”. In other cases, outdated or unpatched software left critical devices vulnerable to exploitation.

One scan exposed a patient’s chest and brain MRI results, with names and medical history. Records include highly sensitive Protected Health Information (PHI) and Personally Identifiable Information (PII). These categories of personal data are protected by law in most jurisdictions, including in Europe and the UK by the GDPR.

The firm discovered a range of medical images that were exposed, including optician eye exams, dental X-rays, blood test results, detailed lung MRIs commonly used to aid patients suffering from lung cancer.

Research was conducted using Modat’s internet scanning platform Modat Magnify.

Soufian El Yadmani, Modat CEO said, “The question we should be asking is: Why are there MRI scanners with internet connectivity that lack proper security measures? The primary risk is unnecessary network exposure. These medical systems should only be connected to secure, properly configured networks when there is a legitimate clinical need for remote access.”