Cyber Incident Victim: I-MED Radiology
Date:
Jan 2024
Location:
Australia
Summary
A cyber incident involving I-MED Radiology compromised patient data through unauthorized access to its radiology platform via credential stuffing, using previously leaked login credentials for accounts with weak passwords and lacking two-factor authentication. The breach exposed sensitive information including full names, dates of birth, medical reports, MRI scans, addresses, and clinical notes, potentially affecting tens of thousands of patients, with some data accessible back to 2006. The compromised accounts, shared among multiple users, allowed broad access to patient portals, though the organization stated no significant unusual access was detected and responded by disabling affected accounts, enhancing system surveillance, and engaging cybersecurity experts while notifying relevant authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2024, I-MED Radiology, Australia’s largest medical imaging provider, experienced a data breach when an unauthorized third party accessed its internal radiology platform using compromised credentials. The attacker obtained login details from a prior unrelated data leak, exploiting weak account security measures. According to investigative reports, the breached accounts belonged to three entities: St Vincent’s Public Hospital (location unspecified), a cancer clinic in Sydney’s south-west, and an individual Australian radiologist. These accounts lacked two-factor authentication and used passwords between three and five characters in length, which the attacker described as negligent. The credentials had been publicly available online for over a year, enabling credential-stuffing attacks where reused login details from other breaches were applied to I-MED’s systems. Upon gaining access, the intruder could view patient portals containing full names, dates of birth, genders, MRI scan images, medical reports, clinical notes, examination dates, referring physician details, and patient addresses. Screenshots verified by Crikey showed access to thousands of records from the preceding month alone, with the attacker claiming historical access dating back to 2006.
I-MED confirmed the breach after being alerted by media inquiries, stating fewer than 10 external accounts were compromised and disabling them immediately. The company contacted impacted users and initiated investigations, which preliminarily found no evidence of significant unusual access to patient records. Internal assessments suggested the attacker could have accessed over 1,000 records, though external analysis of portal activity indicated tens of thousands of patients’ data were potentially exposed due to the breadth of historical data available. I-MED engaged cybersecurity experts to strengthen system surveillance and reported the incident to Australia’s Office of the Australian Information Commissioner. The breach occurred amid ongoing scrutiny of I-MED’s data practices, following revelations it had provided patient information to AI firm harrison.ai for training purposes without clear patient consent. The company did not address questions about this separate controversy while responding to the breach. No ransomware or extortion attempts were linked to the incident, and operational systems remained functional throughout.