BLOG
SECURITY · Jun 22, 2026 · 3 MIN READ

How I Found 21,000 Patient Photos Online—And What Happened Next

A medical records folder holding patient photo cards secured by a small padlock, beside an open door spilling light into a dark room

The Open Door

It was a routine scan. I was exploring subdomains when I stumbled upon a data‑labeling portal for a European telemedicine company. The login page had a "Sign Up" button. I clicked it.

No email verification. No access code. No approval. Just a form. Thirty seconds later, I was in.

The dashboard loaded. Rows of projects with clinical names: "Skin Condition Segmentation," "Bodyparts," "T‑Zones." I clicked one. Thumbnails appeared—high‑resolution medical photographs of skin lesions, rashes, moles. Each image was tagged with a clear‑text diagnosis: "hand eczema," "actinic keratosis," "psoriasis."

My stomach dropped. This wasn't a test environment. This was live patient data.

The Scope

A quick manual review revealed the staggering scale:

  • Over 21,000 medical images of patients' skin.
  • More than 22,000 physician annotations containing diagnoses.
  • Internal case IDs that could link back to full medical records.
  • A full user list, including employees and external contractors.

The software was years out of date. Even more alarming: the project list contained SQL injection payloads as project titles—signs that an automated attack tool had already been there. Someone else had found this door before me.

The Report

I drafted an urgent email. Subject: "CRITICAL SECURITY FLAW." I outlined the immediate steps: disable open registration, lock suspicious accounts, notify the data protection authority within the 72‑hour GDPR window. I was clear about my actions: I had accessed the system with a test account to confirm the vulnerability. I had not downloaded patient images. I had not attempted to identify individuals. I provided the test account details and asked for its deletion.

Then I sent it.

The Response

Within hours, I had a reply. The company's data protection lead acknowledged the report. The vulnerable system was taken offline immediately. A forensic investigation was launched.

Then came the surprise: they offered a bounty for a full technical report.

We agreed on a fee. The payment arrived promptly. I delivered a detailed breakdown of the vulnerability, along with a dozen other security issues I'd identified across their infrastructure—exposed admin panels, leaked API keys, misconfigured services.

The Professional Dialogue

A day later, they followed up with a clarification request about data access. We exchanged emails, clarified the scope of what was viewed versus what was retained, and reached a mutual understanding. The tone remained professional, focused on resolution. They thanked me for my cooperation. The matter was closed.

Why This Story Isn't a Horror Story

Responsible disclosure works. When a company responds with urgency and respect, the vulnerability gets fixed, patients are protected, and researchers are incentivized to report, not exploit.

Bounties build bridges. A fair bounty transforms a security report into a legitimate transaction. It compensates the researcher and delivers critical intelligence to the company.

"Shadow IT" is a silent risk. This labeling tool was likely set up for an internal project and forgotten. Without lifecycle management, such systems become open doors to sensitive data.

Transparency is the best policy. My detailed report gave them what they needed to act. Their transparent communication prevented the situation from becoming adversarial.

The Takeaway

Finding a catastrophic data leak is a mix of dread and duty. What you do next defines the outcome. I chose to report it responsibly. The company chose to listen, fix the issue, and pay for the insight. No lawsuits. No public shaming. Just a security flaw patched and a safer system for patients.

That's how security should work. And that's a story worth sharing.