I-MED medical imaging provider reports data breach

Australia's largest medical imaging provider, I-MED, has experienced a data breach exposing sensitive health and personal information of tens of thousands of patients.

The breach was caused by credential stuffing, a cyberattack method in which hackers use login credentials exposed in previous breaches to access other accounts. An anonymous individual gained access to I-MED's online radiology platform by using credentials found online. Three accounts were compromised, allowing the intruder to view sensitive patient data from St. Vincent's Public Hospital, a cancer clinic in Sydney, and an Australian radiologist’s accounts. The attacker had access to patient data dating back to 2006.

The breach, which has been ongoing for at least a year, exposed  patient records, including:

• Medical reports,
• Scan images,
• Full names,
• Addresses,
• Dates of birth,
• Sex,
• Referring physicians’ details.

I-MED has not disclosed the exact number of individuals affected.

I-MED has downplayed the breach, stating that fewer than 10 accounts had been compromised and that their preliminary investigations did not show "significant unusual access to patient records." The breach has been reported to the Office of the Australian Information Commissioner (OAIC).