Power Diary

Summary

Power Diary, a Ballarat-based practice management software provider serving healthcare clinics in over 23 countries, identified and addressed a spam incident on August 25, 2024. Unauthorized parties triggered the platform's email system to send phishing emails to patients that appeared to come from their healthcare providers.

Attack Vector

An unauthorized party exploited Power Diary's communication template feature to trigger the sending of spam emails through the platform. The phishing emails mentioned winning an NFT and cryptocurrency award and encouraged recipients to click links claiming fake prizes. The misconfiguration allowed unauthorized email sending without requiring system penetration or data theft.

Consumer Impact

Phishing emails were sent to patients appearing to originate from their GP or healthcare provider, mentioning cryptocurrency prizes. Only a portion of practices using Power Diary were affected. Critically, the company's investigation confirmed that no personal data was exposed during the incident. The system generated patient-specific details like names only after email sending, meaning unauthorized parties never saw or accessed personal information.

Response

Power Diary announced the incident on August 25, 2024, and addressed the vulnerability in the email-sending system. All affected practices were notified by email on August 26. The company emphasized that unauthorized parties could not access any personal information of patients or healthcare providers, with the breach limited to unauthorized use of the email communication feature.