A new report claims that confidential medical records for millions of Americans are publicly accessible online on unprotected servers. 187 public servers containing confidential medical records did not even have a password in place.

A report by Ars Technica claims that medical records for millions of Americans are publicly accessible on the Internet. According to the report, confidential medical records for as many as five million Americans are accessible on unprotected public servers.

Cybersecurity researchers found 187 unprotected servers hosted by medical providers. These servers, which contained confidential medical records, were not protected by even a basic password. According to the report, the unprotected servers were primarily hosted by independent medical providers including radiologists and medical imaging centers.

But these aren’t the only servers that have cybersecurity experts concerned. A study from 2016 found nearly 3,000 unprotected servers that contained radiology records. To the researcher’s surprise, some of the servers were hosted by advanced and respected radiology departments around the world.

“The scan discovered a total of 2,774 unprotected radiology or DICOM servers worldwide. Of those, 719 were fully open to patient data communications,” the study’s authors concluded. “Geolocation was used to analyze and rank our findings according to country utilization. As a result, we built maps and world ranking of clinical security, suggesting that even the most radiology-advanced countries have hospitals with serious security gaps.”

Despite the crisis, the United States Department of Health and Human Services isn’t exactly cracking down on medical providers that are breaching patient privacy rights. In April, the department lowered the maximum annual fine for providers that leak confidential medical records from $1.5 million to $250,000.

Patients can protect themselves and their right to confidentiality by asking their medical providers if online access to their records requires a password. Additionally, patients are advised to ask their providers if they protect their confidential records by regularly conducting HIPPAA’s security risk assessment.