New research has found millions of Australians’ sensitive medical images and data have been left openly accessible.

German security vendor Greenbone has found hundreds of millions of sensitive medical images on unprotected servers worldwide, including around 2.6 million in Australia.

The company ran a search for internet-connected Picture Archiving and Communications Systems (PACS) servers, on which healthcare organisations store radiology images of patients and other data.

Using scanning systems such as Shodan.io and Censys.io, the researchers uncovered 590 completely unprotected PACS servers with 24 million records in 52 countries. On these servers, they found 400 million images that could be downloaded with no access controls.

The Australian servers included X-ray, computed tomography, magnetic resonance imaging data, combined with patient names, dates of birth and examination, along with medical information.

The unprotected servers were using the Digital Imaging and Communications in Medicine (DICOM) protocol, which runs on transmission control protocol (TCP) ports 104 and 11112, as well as some DICOM web-based image viewers.

“It must be emphasised that no program development or coding was necessary to evaluate this data leak,” the company said.

“No exploits were written, unknown/unpublished vulnerabilities were exploited.”