If they're taking patient data for research without permission, they are not ethical researchers.
Is it really “without permission” if it’s from a server for which the access credentials have been deliberately published to the entire internet?
If it's without the patient's permission, then yes, it is without the only permission that matters for medical ethics.
From the perspective of research ethics: it is very much without permission in that situation
Is it really “without permission” if it’s from a server for which the access credentials have been deliberately published to the entire internet?
If it's without the patient's permission, then yes, it is without the only permission that matters for medical ethics.
From the perspective of research ethics: it is very much without permission in that situation