An anonymous person has disclosed that they gained online access to a radiologist’s platform that hosted patient information using stolen credentials.<\/p>\n
I-MED Radiology is Australia\u2019s leading medical imaging provider. Their clinics offer a range of imaging procedures including MRI, CT, x-ray, ultrasound, and nuclear medicine. The person said they found the credentials in a data set that came from another breach, meaning it\u2019s highly likely that the account holder used the same credentials for more than one service.<\/p>\n
Cybercriminals often use leaked credentials and try them out on other websites and services. This type of attack is called credential stuffing<\/a>. Criminals with access to the credentials from Site A will then try them on sites B and C, often in automated attacks. If the user has reused their password, the accounts on those additional sites will also be compromised.<\/p>\n The whistleblower told Crikey<\/a> they found log-in details for three accounts in the data that belonged to a hospital. The credentials gave them access to I-MED\u2019s radiology patient portal, and with that, to files showing patients\u2019 full names, dates of birth, sex, which scans they received, and dates of the scans.<\/p>\n The credentials had been available online to cybercriminals for over a year. And to make things worse the accounts had passwords three to five letters in length and were not protected by two-factor authentication (2FA)<\/a>. It also seemed as if these accounts were shared among several people.<\/p>\n This level of authentication is below par by any standard, but it\u2019s especially unacceptable when it concerns sensitive patient data.<\/p>\n When queried, I-Med said:<\/p>\n \u201cWe have… further strengthened our system surveillance and are working with cyber experts to respond.\u201d<\/p>\n<\/blockquote>\n The news about the leak comes at a bad time for I-MED, following recent accusations that it allowed a startup to use patient data to train an Artificial Intelligence (AI) without consent<\/a>.<\/p>\n There are some actions you can take if you are, or suspect you may have been, the victim of a data breach<\/a>.<\/p>\n If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan<\/a>. Fill in the email address you\u2019re curious about (it\u2019s best to submit the one you most frequently use) and we\u2019ll send you a free report.<\/p>\n\n
Protecting yourself after a data breach<\/h2>\n
\n
Check your digital footprint<\/strong><\/h2>\n