In September 2024, I-MED became aware that credentials used to access our online referrer portal had been made publicly available. These external accounts are used by referring medical practitioners and other health professionals in the provision of patient care, including in emergency medical situations. 

We believe that some of these account credentials may have been compromised by Infostealer malware embedded in browsers on the devices used by those health professionals. 

Immediately upon becoming aware of the leaked credentials, I-MED mobilised a senior response team led by our CEO. We suspended the affected accounts, contacted account holders, and enforced password resets. We also notified the Office of the Australian Information Commissioner (OAIC) and worked closely with the National Office of Cyber Security and the Australian Signals Directorate (ASD). 

Following a comprehensive investigation, we confirmed that there was no unauthorised access to patient data beyond the access initially reported by an anonymous source. The impacted users and patient were notified at the time and the OAIC formally closed its file in March 2025. 

We continue to enhance our security measures and maintain rigorous system monitoring. As part of our ongoing efforts, we are rolling out multi-factor authentication (MFA) across our systems to further protect sensitive data. 

We thank the I-MED community for its ongoing support and understanding. The safety and privacy of our people, patients and referrers remain our highest priority. 

For any questions, please contact us at privacy@i-med.com.au.  

Published 26 September 2024 and updated 7 January 2025 and 14 July 2025