I-MED Radiology Network, Australia’s largest medical imaging provider, recently experienced a data breach that exposed sensitive information of tens of thousands of patients. The breach occurred when an intruder accessed I-MED’s internal system by exploiting login credentials that had been left online for over a year. These credentials were obtained through a cyberattack method known as “credential stuffing,” where previously exposed usernames and passwords are used to gain unauthorized access to various platforms. The compromised data included medical reports, scan images, and personal information such as names and addresses.
The breach was first uncovered when an anonymous individual contacted a news outlet, claiming to have accessed patient data via I-MED’s online platform. The intruder stated that they found access details for several accounts linked to hospitals and clinics, allowing them to view thousands of patient records dating as far back as 2006. Screenshots shared with the media revealed detailed patient information, including clinical notes, scan images, and referring physician data. Despite I-MED’s confirmation of the breach, the company has not disclosed the full extent of the affected data or the number of patients impacted.
I-MED’s internal investigation indicated that fewer than 10 accounts were leaked online, but preliminary findings suggested there had been no significant unusual access to patient records. However, the compromised accounts reportedly had weak passwords—some only three to five characters long—and lacked two-factor authentication. Experts have criticized the company’s security measures, describing the oversight as negligent and highlighting the risks associated with inadequate protections for sensitive health data. In response, I-MED has strengthened its system monitoring and engaged cybersecurity experts to address vulnerabilities.
The data breach at I-MED follows earlier concerns about the company’s handling of patient data in its partnership with the health AI firm Harrison.ai. Investigations have raised questions about whether I-MED obtained proper consent from patients before providing their data for AI training purposes. These ongoing privacy concerns, coupled with the breach, have further damaged the company’s reputation and raised awareness about the need for stronger data protection measures within the healthcare and medical imaging sectors.
Reference:
