On August 25th, an unauthorized party gained access to an email-sending feature and allowed them to send out emails that appeared to come from some practices and may have been sent to patients. Importantly, no client data was accessed.
What Happened?
We want to inform you about a security issue that affected some practices.
On 24th/25th August an unauthorized party gained access to an email-sending feature on our platform. This allowed them to send out emails that appeared to come from the practice and that were sent to some patients.
The unauthorized party used our communication template system, which allowed them to trigger the email sending functionality.
It’s important to emphasize that the unauthorized party did not have access to any personal information, including the email address the emails were sent to. The template merge fields, such as patient names and email addresses, were populated by our system after the emails were sent - meaning the sender never saw nor had access to this information.
The content of these emails mentioned winning an NFT and cryptocurrency award, and encouraged clicking on a link to claim this fake prize - fairly typical of low-level spam emails that attempt to convince users to click on links and share their details. There were also emails sent that referenced an attachment, although there were no attachments included in these emails.
We understand the concern this may have caused both you and your patients. We deeply regret any confusion or concern this incident may have caused and want to address any questions you might have.
Frequently Asked Questions (FAQs)
- How did this happen?
An unauthorized party was able to exploit a vulnerability in our email-sending system, which allowed them to send bulk emails that appeared to originate from your practice. The system’s template feature was used to insert patient email addresses, names and other details after the emails were triggered, but the unauthorized party did not have access to this personal information. - Was my practice affected?
This issue only affected a portion of practices using Power Diary and all affected practices were notified by email on Monday 26th August. - I received an email so was my practice’s account compromised?
No, your practice’s account was not compromised. The issue was not due to a breach of your individual account or our overall system, but rather a vulnerability in the email-sending feature. This allowed the unauthorized party to send emails using system-generated patient ID numbers without accessing any of your practice’s data. - Did the unauthorized party access any patient information?
No, the unauthorized party did not have access to any patient information. The system generated patient-specific details, like names, only after the email was sent, meaning the sender never saw or accessed these details. - What should I tell my patients?
If your practice was affected, we recommend informing your patients about the incident in a transparent yet reassuring manner. You can direct them to the dedicated patient information page we created to explain the situation and answer their most likely questions. This can help mitigate any concerns they may have.
To help with this, we’ve included here a sample email you may wish to send;
Dear client,
Unfortunately we’ve become aware that some SPAM emails have been sent through our practice management system, Power Diary. These emails mentioned winning an NFT or cryptocurrency award, and encouraged clicking on a link to claim this fake prize. There were also emails sent that referenced an attachment, although there were no attachments included in these emails.
If you received anything like this - from us or anyone else - please do not click the link.
Power Diary has investigated this and determined that no personal information was accessed.
The email merge fields, such as patient names and email addresses, were populated by the system after the emails were sent - meaning the unauthorised party never saw nor had access to this information.
You can see more information about this here.
We apologise for the concern this may have caused.
Regards,
xxx - What steps are being taken to prevent this from happening again?
We have identified the specific endpoint that was accessed and have taken immediate action to secure it. We are also implementing additional security measures to prevent any further unauthorized access. Additionally, we are conducting a comprehensive review of our security protocols to identify and address any other potential vulnerabilities.
As part of Power Diary’s ISO 27001 certifications, we regularly engage external security consultants to review and stress-test all of our systems. Any vulnerabilities found are promptly addressed and re-tested before certification can occur. Unfortunately in this case though, there was no indication of this type of event occurring. - Will this affect my practice’s reputation?
We understand that maintaining trust with your patients is crucial. While this incident may cause concern, we believe that providing clear and honest communication to your patients can help mitigate potential damage. We are here to support you in this process, including providing you with the necessary information to reassure your patients. - Can I still use the email-sending feature?
Yes, you can continue to use the email-sending feature. We have taken steps to secure the endpoint that was accessed and are actively monitoring the system for any further suspicious activity. If you have any concerns about using this feature, please reach out to our support team. - How will I be kept informed about the situation?
We will continue to provide updates on our status page as we make further progress in our investigation and implement additional security measures. We will also revise this page as more information becomes available. You can also reach out to our support team at any time if you have specific questions or need assistance. - What should I do if a patient contacts me about this?
If a patient contacts you with concerns, we recommend reassuring them that no personal information was accessed by the unauthorized party. You can also direct them to our patient information page, which provides detailed explanations and answers to their questions. Our support team is also available to assist you with any patient inquiries. - Who can I contact for more information?
If you have any further questions or concerns, please feel free to reach out to our support team. We are here to help and will do our best to address any concerns you may have as we work through this issue together.