Medical records exposed by Telstra gaffe

A major vulnerability in medical software distributed by Telstra and in use by more than 40,000 Australian health specialists has reportedly potentially exposed Australians' sensitive medical information to attackers.

The Argus software was acquired by Telstra Health in 2013 and is used by hospitals, GPs, specialists and primary health networks to share confidential patient information.

According to a Fairfax Media report, the Argus software left computers with remote desktop software installed open to exploitation by creating a separate username with a static default password, stored in plain text in a folder created by the software, when used by doctors on their home computers.

The report cites a source as stating that attackers had already discovered and exploited the vulnerability. But so far there is no evidence that the attackers used the access to steal medical records.

Attackers were instead using compromised systems to conduct illicit activities such as running scams and purchasing goods with likely stolen credit cards so the purchase could not be traced back to them.

Telstra has confirmed that a small group of customers with unsecured remote desktop configurations with open internet access were impacted by the vulnerability.

The company has sent communications to both current and former Argus users urging inactive users to uninstall the software and remove the associated accounts from users’ active directories. A patch has also been issued to plug the security hole.

Image credit: ©stock.adobe.com/au/Jürgen Fälchle

Follow us and share on Twitter and Facebook