Cam Wilson reports:
Tens of thousands of patients from Australia’s biggest medical imaging provider I-MED have had swaths of sensitive health and personal information exposed in a data breach using details that have been public for a year.
This sounds like another case where a threat actor found credentials online. Crikey reports:
In this case, the intruder said they found log-in details for three accounts, accessing data for St Vincent’s Public Hospital (it’s unclear whether it was the Sydney or Melbourne hospital), a cancer clinic in Sydney’s south-west, and an Australian radiologist.
Crikey has seen screenshots showing I-MED’s radiology patient portal, including dozens of patients’ full name, date of birth, sex, which scan they received and the date. Between the three accounts, the portals list access to thousands of patients’ data from just the past month. The user said their access went back to 2006, suggesting that upwards of tens of thousands of patients’ data was accessible.
Read more at Crikey.
Update: A reader contacted DataBreaches. He writes:
This breach is in addition to an investigation being carried out by Australia’s Privacy Commission (www.oaic.gov.au) about transfer of patient results to Harrison.ai to train an AI system. This prior release is being considered as a possible breach. See Privacy commissioner to examine I-MED for collecting data to train AI.
See also:
- Privacy regulator probing I-MED for handing over private medical data used to train AI.
- Leaked harrison.ai email shifts blame to I-MED over patient consent, and
- Australia’s largest medical imaging provider under probe for data breach over AI training
The JacksonLewis law firm also published a post about this topic: Investigation of AI Training by Australian Radiology Provider Provides Important Reminder for U.S. Healthcare Providers.