Poltics
Tens of thousands of patients from Australia’s greatest medical imaging supplier I-MED have had swaths of sensitive health and personal information uncovered in a data breach using details that have been public for a year.
This information contains medical reviews, scan images, names, addresses and various details that have been kept in I-MED’s internal methods, that have been accessed by a third party.
On Thursday, the company offered a statement confirming the breach.
“After changing into aware of the subject I-MED took immediate action to disable all these external accounts and we contacted impacted customers,” it said in an email.
I-MED didn’t answer questions about how many patients had been affected within the breach.
Received a tip about this narrative? You can anonymously contact Cam Wilson right here.
Last week, an anonymous particular person contacted Crikey claiming they had gained access to an internal I-MED online platform ancient by its radiologists to contemplate patient information.
The particular person said they had gained access to I-MED’s system via login credentials that had been posted online. It’s a basic form of cyberattack called “credential stuffing” the place usernames and passwords uncovered in a breach from one provider are ancient to log into various products and companies. For example, a leak of data from Netflix may allow anyone to access a Netflix particular person’s email account if they ancient the same username and password.
On this case, the intruder said they came across log-in details for three accounts, accessing data for St Vincent’s Public Hospital (it’s unclear whether or not it was the Sydney or Melbourne hospital), a cancer medical institution in Sydney’s south-west, and an Australian radiologist.
Crikey has considered screenshots showing I-MED’s radiology patient portal, in conjunction with dozens of patients’ full name, date of beginning, sex, which scan they obtained and the date. Between the three accounts, the portals list access to thousands of patients’ data from fair the past month. The particular person said their access went back to 2006, suggesting that upwards of tens of thousands of patients’ data was accessible.
The particular person also shared a screenshot showing the information contained within one particular person’s file, which integrated more than 10 scan images, clinical notes from an I-MED radiologist dated this month, the date of the examination, details of the patient’s referring physician, the patient’s address and more.
Crikey described these details to I-MED staff, who didn’t dispute their authenticity.
I-MED’s statement said fewer “than 10 accounts” had been leaked online and that its preliminary investigations didn’t indicate there had been “significant unusual access to patient information”.
According to the particular person, these accounts had passwords three to five letters in size and had no two-factor authentication, adore an email or textual impart material message sent the account’s proprietor to restrict access. The accounts for the medical institution and hospital also appeared to be the very best ones ancient by many individuals. The particular person described these low-safety standards as “negligent”.
“We have also additional strengthened our system surveillance and are working with cyber specialists to reply,” I-MED’s statement said, adding it had informed the Office of the Australian Information Commissioner.
This comes as I-MED refuses to answer questions about another data controversy following a Crikey investigation into how its patient data was ancient to train AI reputedly without patients’ information. Last week, Crikey revealed that privacy specialists had raised considerations about whether or not I-MED had obtained consent from its patients to perform it to health AI company harrison.ai and whether or not its attempts to de-title the information had mitigated privacy risks.
After not answering Crikey’s repeated requests over a week regarding the imaging supplier’s AI partnership with harrison.ai, an I-MED staff member answered an email regarding this breach in fewer than half-hour.
Despite this, I-MED level-headed didn’t answer questions about its harrison.ai partnership.