Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers
Healthcare organizations are exposing a vast amount of patient data by failing to implement even basic security measures for DICOM servers, according to a recent Trend Micro TrendAI analysis. TrendAI identified thousands of internet-facing DICOM servers belonging to hundreds of entities. The lack of security protections puts patient privacy at risk and gives hackers the opening they need for lateral movement and ransomware attacks.
Medical images generated from X-rays, MRI, CT, and ultrasound scans are captured, stored, processed, transmitted, and viewed using the Digital Imaging and Communications in Medicine (DICOM) standard. Work on a standard for communicating medical imaging information started in the early 80s and culminated in the DICOM standard. DICOM defines a file format for medical images and a network protocol for communicating those images between different devices and systems, including equipment such as scanners, workstations, and printers, software, network hardware, and Picture Archiving and Communication Systems (PACS). DICOM enables interoperability across devices and systems, regardless of manufacturer.
DICOM files contain medical imaging data; however, the metadata includes a substantial volume of protected health information, such as full names, dates of birth, and medical record numbers, and sometimes other sensitive data such as Social Security numbers and other patient identifiers. The metadata may also include information such as the referring physician’s name, the reading radiologist, why the test was ordered, diagnosis codes, and procedure information, while the images themselves can reveal sensitive health conditions.
The purpose of the DICOM standard is to allow easy viewing, storage, exchange, and transmission of medical images; however, there are also security features to protect against unauthorized access. The problem is that those security features are not being fully utilized, and in many cases, are not being used at all. Using Shodan.io scanning data, the TrendAI team identified 3,627 DICOM medical imaging servers in more than 100 countries that were directly accessible via the public internet, the largest percentage of which (33%) were in the United States (1,189 servers). While the exposed servers were often PACS or workstations, the TrendAI team points out that they often serve as gateways to medical imaging modalities such as MRI systems, X-Ray equipment, CT and PET-CT scanners, and mammography units. While the analysis did not identify any of those medical devices, it is reasonable to assume that the exposed servers communicate with those devices.
The analysis was conducted using Shodan scanning data from November to December 2025, which revealed that many DICOM servers have minimal or no security controls. TrendAI found that only 0.14% of exposed DICOM servers use TLS encryption, which prevents eavesdropping and man-in-the-middle attacks. DICOM servers should only accept connections from known, trusted sources; however, 99.56% of exposed servers accepted connections without AE Title validation, suggesting AE Title validation was not being enforced. Across the exposed servers, 334 organizations could be identified. They included 231 healthcare organizations such as hospitals, clinics, laboratories, and imaging and radiology centers.
The best practice is to ensure that DICOM servers are on isolated networks with firewalls restricting access; however, the fact that 3,627 servers were exposed to the internet shows that even this basic security control is not being implemented. Further, an analysis of software versions found that many had significant patch deficiencies, including unpatched critical vulnerabilities such as CVE-2019-1010228, CVE-2022-2119, CVE-2022-2120, and CVE-2025-0896. The TrendAI team also found that 44% of servers cluster into groups running identical software, which means that one vulnerability can be exploited on hundreds of targets. The scant protections put patient privacy at risk, potentially allowing extensive data theft, image manipulation, lateral movement, and ransomware attacks.
“Security must be treated as a fundamental requirement rather than an optional enhancement. The tools exist; they simply need to be used,” suggests TrendAI. “Healthcare organizations, cloud providers, and DICOM software vendors all share responsibility for addressing this exposure. Until they do, patient data remains at risk, clinical systems remain vulnerable, and the healthcare sector remains an attractive target for malicious actors.”
The post Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers appeared first on The HIPAA Journal.
John Chachas Reveals America’s Medical Data Crisis: HIPAA Protects Your Hospital, Not Your Health – BBN Times
Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches – The HIPAA Journal
Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches
Data breaches have recently been announced by Hematology Oncology Consultants in Michigan, Cunningham Prosthetic Care in Maine, and Southcoast Health System in Massachusetts.
Hematology Oncology Consultants
Hematology Oncology Consultants in Michigan have started notifying individuals affected by a September 20, 2025, security incident. Upon detection, immediate action was taken to secure its network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. On or around February 12, 2026, Hematology Oncology Consultants confirmed that files containing personal and protected health information were likely exfiltrated from its network.
The review of the affected files was completed on April 7, 2026, and notification letters started to be mailed to the affected individuals on April 24, 2026. Data compromised in the incident includes names, medical records, health insurance information, and Social Security numbers. While not described as a ransomware attack, the Rhysida ransomware group claimed responsibility for the attack. Rhysida threatens to sell or publish the stolen data if the ransom is not paid. The group claims to have sold some of the stolen data and has leaked 40% of the data exfiltrated in the attack. The incident has been reported to regulators, although it is currently unclear how many individuals have been affected.
Cunningham Prosthetic Care
The Saco, Maine-based orthotic and prosthetic service provider Cunningham Prosthetic Care has started notifying patients about a data security incident first identified on October 22, 2025. Suspicious activity was identified within an employee’s email account, and upon investigation, unauthorized access to the account was confirmed as occurring on October 22, 2025. The account was reviewed, and after around 4 months, it was confirmed that the account contained personal and protected health information, including names, health insurance information, diagnostic information, medical treatment information, and medical record numbers. The affected individuals started to be notified by mail on May 1, 2026. The data breach has been reported to the appropriate authorities, but at present, the number of affected individuals has yet to be publicly disclosed.
Southcoast Health
Southcoast Health System, a nonprofit community health system with more than 55 locations in Southeastern Massachusetts and Rhode Island, has identified unauthorized access to a single user account on February 16, 2026. The security incident was identified on the same day, and unauthorized access was immediately blocked. While the incident was detected quickly, it is possible that sensitive data such as names and Social Security numbers were viewed or acquired. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services. At the time of publication, the number of affected individuals had not been publicly disclosed.
The post Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches appeared first on The HIPAA Journal.
Listen: A Federal Agency Is After Workers’ Health Data, and Critics Are Alarmed – KFF Health News
SPECTRA EXECUTES LARGE-SCALE MAILING FOR MEDICARE ADVISORY SERVICE – The National Law Review
SPECTRA EXECUTES LARGE-SCALE MAILING FOR MEDICARE ADVISORY SERVICE The National Law Review
HIPAA—N.D. Tex.: Hospital seeks stay of subpoena enforcement pending appeal (May 7, 2026) – VitalLaw.com
Why Medical Couriers Are Always Classified as HIPAA Business Associates
Other than when they are directly employed by a covered entity, medical couriers are always classified as a HIPAA business associate due to the nature of the work they are contracted to do and their “operational access” to Protected Health Information (PHI), even when access only consists of a visible name, reference number, or address.
Medical couriers play an important role in the healthcare system by transporting specimens, medications, lab results, and other items that support patient care. Because deliveries often involve sealed packages, it could be assumed that medical couriers do not qualify as business associates under the HIPAA conduit exception.
This exception applies to entities that transmit PHI on behalf of a covered entity or business associate without storing it and without having anything more than transient, incidental access to PHI. Examples include the US Postal Service, UPS, FedEx, and Internet Service Providers who simply act as channels through which information flows.
Why the Conduit Exception Does Not Apply to Medical Couriers
Medical couriers, by contrast, are contracted specifically to transport PHI. To fulfil the service they are contracted to provide, medical couriers routinely handle paperwork connected with specimens, read names on labels, sign or verify chain‑of‑custody forms, and confirm pickup and delivery details tied to specific patients.
Their access is not incidental, accidental, or transient, it is operational. Because of this, healthcare organizations, pharmacies, and labs must treat them as HIPAA business associates. That means medical couriers must sign Business Associate Agreements (BAAs) and comply with all applicable HIPAA standards. The same applies when an independent contractor is engaged by a business associate as a subcontractor.
When Access Only Consists of a Visible Name, Number, or Address
When access only consists of a visible name, reference number, or address, the visible information is still classified as PHI because these elements are references to individually identifiable health information being transported within the package. This means a visible name, reference number, or address on the outside of the package is part of the same designated record set as the information inside the package.
This distinction is important because information visible on the outside of the package must be protected with the same care as the information inside the package. It is for this reason that, other than when they are directly employed by a covered entity, medical couriers are always classified as HIPAA business associates, and must train their drivers, dispatchers, and customer service teams on all applicable HIPAA standards.
The post Why Medical Couriers Are Always Classified as HIPAA Business Associates appeared first on The HIPAA Journal.