Tens of thousands of patients from Australia’s biggest medical imaging provider I-MED have had swaths of sensitive health and personal information exposed in a data breach using details that have been public for a year.
This information includes medical reports, scan images, names, addresses and other details that were stored in I-MED’s internal systems, which were accessed by a third party.
On Thursday, the company provided a statement confirming the breach.
“After becoming aware of the issue I-MED took immediate action to disable all these external accounts and we contacted impacted users,” it said in an email.
I-MED did not answer questions about how many patients had been affected in the breach.
Got a tip about this story? You can anonymously contact Cam Wilson here.
Last week, an anonymous user contacted Crikey claiming they had gained access to an internal I-MED online platform used by its radiologists to view patient information.
The user said they had gained access to I-MED’s system through login credentials that had been posted online. It’s a common form of cyberattack called “credential stuffing” where usernames and passwords exposed in a breach from one service are used to log into other services. For example, a leak of data from Netflix might allow someone to access a Netflix user’s email account if they used the same username and password.
In this case, the intruder said they found log-in details for three accounts, accessing data for St Vincent’s Public Hospital (it’s unclear whether it was the Sydney or Melbourne hospital), a cancer clinic in Sydney’s south-west, and an Australian radiologist.
Crikey has seen screenshots showing I-MED’s radiology patient portal, including dozens of patients’ full name, date of birth, sex, which scan they received and the date. Between the three accounts, the portals list access to thousands of patients’ data from just the past month. The user said their access went back to 2006, suggesting that upwards of tens of thousands of patients’ data was accessible.
The user also shared a screenshot showing the information contained within one user’s file, which included more than 10 scan images, clinical notes from an I-MED radiologist dated this month, the date of the examination, details of the patient’s referring physician, the patient’s address and more.
Crikey described these details to I-MED staff, who did not dispute their authenticity.
I-MED’s statement said fewer “than 10 accounts” had been leaked online and that its preliminary investigations did not indicate there had been “significant unusual access to patient records”.
According to the user, these accounts had passwords three to five letters in length and had no two-factor authentication, like an email or text message sent the account’s owner to restrict access. The accounts for the clinic and hospital also appeared to be the only ones used by many individuals. The user described these low-security standards as “negligent”.
“We have also further strengthened our system surveillance and are working with cyber experts to respond,” I-MED’s statement said, adding it had informed the Office of the Australian Information Commissioner.
This comes as I-MED refuses to answer questions about another data controversy following a Crikey investigation into how its patient data was used to train AI seemingly without patients’ knowledge. Last week, Crikey revealed that privacy experts had raised concerns about whether I-MED had received consent from its patients to provide it to health AI company harrison.ai and whether its attempts to de-identify the information had mitigated privacy risks.
After not answering Crikey’s repeated requests over a week regarding the imaging provider’s AI partnership with harrison.ai, an I-MED staff member answered an email regarding this breach in fewer than 30 minutes.
Despite this, I-MED still did not answer questions about its harrison.ai partnership.
