More than 1.2 million internet-connected healthcare devices, including those used for medical imaging like MRI and X-ray scans, have been found to be leaking sensitive patient data online, according to researchers at Modat. The breach, discovered in August 2025, exposes a range of confidential medical files, patient contact information, and personally identifiable information, potentially putting millions at risk of identity theft and fraud.
Modat’s scan of the internet specifically targeted misconfigured devices lacking password protection, using the tag ‘HEALTHCARE’ to identify relevant systems. The exposed data includes brain scans, X-rays, and bloodwork results, stored alongside patient details. The findings highlight a critical vulnerability in the healthcare industry’s cybersecurity posture, researchers warn.
The scale of the breach extends beyond a single institution, encompassing hospitals globally. The exposed devices generate and leak data continuously, creating an ongoing risk. A report by TechRadar detailed the findings, emphasizing the potential for phishing attacks, wire fraud, and breaches of patient confidentiality and privacy.
Concerns about the accuracy of medical diagnoses and the potential for overreaction to results have been raised in discussions surrounding proactive medical scanning, such as full-body MRIs. While widespread MRI scanning could lead to innovations that drive down costs and improve accuracy, some argue that the current technology produces a high risk of false positives. One commenter on Hacker News noted the parallel to software downtime detection systems, suggesting that addressing false negatives proactively is preferable to ignoring potential issues until a crisis occurs.
The debate centers on balancing the benefits of early detection against the potential for unnecessary anxiety and further medical interventions triggered by inaccurate results. The Hacker News discussion also highlighted the tendency of patients to seek second opinions and potentially pursue unnecessary procedures when faced with ambiguous medical findings.
As of February 16, 2026, no public statement has been issued by a coordinating international health body regarding the data breach or plans for a unified security response. Modat has not released a follow-up report detailing remediation efforts or the number of devices that have been secured.
