ProPublica and Bavarian public television BR reported that some 16 million records were available “unprotected on the internet and available to anyone with basic computer expertise”, protected by neither a password nor encryption.
It is unclear how much of the data has now been safely sealed away by the various hospitals and other health care providers affected in dozens of countries.
“Several thousand patient records were accessible,” confirmed Germany's Federal Office for IT Security (BSI), referring only to some 13,000 of the country's citizens affected.
“The patient data could be accessed as the simplest IT security measures, like access control using usernames and passwords, or encryption, were not implemented.”
However, the government agency “has no information that patient data were in fact copied for criminal purposes.”
As well as scan and radiology data, patients' names, birth dates and social security numbers were freely readable.
BR and ProPublica reported at least 187 servers in the US and five in Germany were among the vulnerable computers, although there were similar security gaps in almost 50 countries including Brazil, Turkey and India.
The BSI said it had informed “partner organisations” in 46 countries about the problem.