Patients sent spam emails in practice software breach

An email breach of practice management software Power Diary has resulted in hackers sending out spam emails to patients which seemingly came from the practice itself.
 
The Victorian company has confirmed it is investigating after an unauthorised party gained access to an email-sending feature, allowing it to use its communication template system.
 
The hackers were then able to successfully mimic the branding of the clinics involved and made the email appear to come directly from their healthcare provider.
 
The emails told users of winning a non-fungible token (NFT) and cryptocurrency award and encouraged them to click on a link to claim their fake prize.
 
Power Diary says no client data was accessed, and that all affected practices were notified by email on 26 August.
 
‘It’s important to emphasise that the unauthorised party did not have access to any personal information, including the email address the emails were sent to,’ the company said in a statement.
 
Dr David Adam, member of the RACGP – Practice and Technology Management Expert Committee, said the incident appeared minor but embarrassing.
 
‘The messages that were sent are so obviously nonsense … the malicious actors in this case are aiming for quantity over quality,’ he said.
 
‘Our practices are increasingly dependent on these third-party services.
 
‘It is very difficult for GPs, practice managers and owners to make a deep assessment of the security practices of others, and we largely have to take their word for it.’
 
The breach is the latest in a worrying trend of data hacks in medical software globally.
 
Earlier this year, nearly 13 million Australians were impacted by a MediSecure data breach, making it one of the largest cyber-attacks in the nation’s history.
 
And in July, a data breach at Australian healthcare educator Healthed led to the publication of personal details of GPs online.
 
Dr Rob Hosking, Chair of RACGP – Practice and Technology Management Expert Committee, told newsGP hackers are increasingly attacking health professions due to the large databases that come with them.
 
‘I suspect it’s probably, in the first instance, for identity theft because to register with medical practices you need to give lots of personal information,’ he said.
 
‘The other possibility is that they would find potentially embarrassing information that they then threaten to release unless they’re given ransom money.’
 
Dr Hosking says he has not seen many cases of extortion yet, but it is ‘obviously another concern in future’, and that this latest breach is a reminder to stay vigilant against ongoing threats.
 
‘Practices need to keep their systems up to date, their software up to date and their hardware up to date,’ he said.
 
Power Diary says the issue only affected a portion of practices, and it has now identified the ‘specific endpoint that was accessed’ and taken action to secure it.
 
‘We are also implementing additional security measures to prevent any further unauthorised access,’ it said.
 
Log in below to join the conversation.

cybersecurity data breach information security phishing Power Diary privacy