Munich (dpa) - Sensitive medical data of millions of patients worldwide were on openly accessible servers in the network, sometimes for years.

As the Bayerische Rundfunk reported, more than 13,000 of the discovered data sets come from Germany from at least five different server locations.

The data includes medical images such as breast cancer screening, spinal images and X-rays. The majority of the data is from patients in the Ingolstadt area and from Kempen in North Rhine-Westphalia, it said.

In Ingolstadt, however, only in one case, sensitive data from patients from a doctor's practice drained, confirmed the Bavarian State Office for Data Protection. Examination data of around 7200 patients without password protection could be retrieved. The affected doctor had been informed and then turned off the computer. According to the current status, none of the public clinics in Bavaria are affected, informed the Bavarian data protection officer Thomas Petri.

The Federal Office for Information Security (BSI) has been informed by IT security researchers and has informed the affected institutions, the agency announced on Tuesday. There was no evidence that the data had actually been leaked with criminal intent. Federal Health Minister Jens Spahn (CDU) called for the highest data protection precautions. For the storage of patient data, the highest protection standards should always be guaranteed, said Spahn. This applies to every doctor's office, pharmacy, hospital and service provider.

According to the research of the BR with the US-Investigativplattform ProPublica in approximately 50 countries from Brazil over Turkey to India 16 million data sets are open in the net. Patients from the USA are particularly affected. "For a single supplier of radiological examinations alone, more than one million data sets of patients were available, according to a report by ProPublica," the report said.

There was not a large data leak, but a variety of unprotected servers, such as for image storage. A potential attacker does not need special knowledge to gain access to these PACS called servers (Picture Archiving and Communication System), on which recordings from X-ray or MRI findings are stored, said the IT security expert Dirk Schrader dpa. With some internet affinity and a "Dicom viewer" available on the net, it was easy to watch the recordings.

According to the BSI, the data were accessible "because the simplest IT security measures such as access protection by username and password or encryption were not implemented". Data protection was simply forgotten in many cases. Schrader had identified more than 2,300 IT systems worldwide, with access to 590 of them.

The effort to secure the data was "pretty minimal," said Schrader. At the firewall appropriate filter rules would have to be installed. The measures could be implemented relatively quickly. With a half-day research on who has access and ten minutes of execution, Schrader estimates.

The Federal Commissioner for Data Protection, Ulrich Kelber, spoke of a "devastating first impression". It must now be clarified whether possibly also third party providers are responsible. It is not excluded that there will be large fines.

The Federal Minister of Health must finally take responsibility for the safety of patient data, demanded Eugen Brysch from the German Foundation for Patient Protection. Brysch proposed a Federal Office for Digitization in Health Care. "Patient data belongs to secure servers in Germany." Spahn must ensure "that the most sensitive data of a person does not stray unprotected through the Internet".

Adequate security measures are urgently needed, especially in the healthcare sector, estimates David Emm, security researcher at anti-virus specialist Kaspersky. Cybercriminals would also increasingly focus on the industry. "We estimate that in 2018 alone, medical organizations attacked 28 percent of hospital-acquired devices," Emm said.

Report Bavarian Radio