Radiology provider exposed tens of thousands of patient files

An anonymous person has disclosed that they gained online access to a radiologist’s platform that hosted patient information using stolen credentials.

I-MED Radiology is Australia’s leading medical imaging provider. Their clinics offer a range of imaging procedures including MRI, CT, x-ray, ultrasound, and nuclear medicine. The person said they found the credentials in a data set that came from another breach, meaning it’s highly likely that the account holder used the same credentials for more than one service.

Cybercriminals often use leaked credentials and try them out on other websites and services. This type of attack is called credential stuffing. Criminals with access to the credentials from Site A will then try them on sites B and C, often in automated attacks. If the user has reused their password, the accounts on those additional sites will also be compromised.

The whistleblower told Crikey they found log-in details for three accounts in the data that belonged to a hospital. The credentials gave them access to I-MED’s radiology patient portal, and with that, to files showing patients’ full names, dates of birth, sex, which scans they received, and dates of the scans.

The credentials had been available online to cybercriminals for over a year. And to make things worse the accounts had passwords three to five letters in length and were not protected by two-factor authentication (2FA). It also seemed as if these accounts were shared among several people.

This level of authentication is below par by any standard, but it’s especially unacceptable when it concerns sensitive patient data.

When queried, I-Med said:

“We have… further strengthened our system surveillance and are working with cyber experts to respond.”

The news about the leak comes at a bad time for I-MED, following recent accusations that it allowed a startup to use patient data to train an Artificial Intelligence (AI) without consent.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.