“Weaponizing people’s private information for the purpose of extorting payment is malicious,” he said.
Medibank admitted on October 13 that it had been hacked. He later said that the personal information of 9.7 million customers and 480,000 health claims had been viewed.
The insurer announced on Monday that it would not pay a ransom to keep the data private. On Wednesday, the credentials of clients who had accessed medical care, including addiction recovery and mental health care, were released. This was followed Thursday by information about patients who had requested and had abortions. On Friday, the Sydney Morning Herald reported the release of more sensitive data, this time related to alcohol and mental health issues.
Details of medical procedures involving about 500 people were part of the two online filings, according to Conversation, a nonprofit news site. The Herald said the third drop – in a file titled “Boozy” – included details of the care of 240 people.
Josh Roose, a political sociologist at Deakin University, said healthcare organizations are common targets of ransomware attacks. But they usually find their computer systems locked down, with a ransom demand in exchange for regaining access.
On occasion, cybercriminals have accessed personal health information, including a security breach this summer involving more than 235,000 patients at Keystone Health in Pennsylvania. Rarely do cases escalate into public disclosure of sensitive health information, Roose said.
“It’s obviously a pretty disgusting line of attack to take,” he added. “And we know that there are hackers who deliberately target health services precisely for this reason. That kinda tells you how bad things are and how, indeed, hardcore this particular band is.
According to Roose, the Medibank ransomware attack appeared to be linked to a Russian hacking group. The data was posted on a dark web forum linked to the REvil collective, the Guardian reported, adding that the hackers had posted a $10 million ransom demand.
Daile Kelleher, chief executive of reproductive rights organization Children by Choice, said there are many reasons – beyond the simple violation of privacy – why patients would not want others know that they had terminated a pregnancy.
Although abortion is legal in Australia, it remains “a fairly stigmatized form of healthcare”, and releasing the data could put some women at risk, Kelleher said. “Our biggest concern was the impact this might have on people experiencing reproductive coercion and abuse, or domestic and family violence, in their lives.”
The Medibank hack was the second media attack of this kind in the country in recent months. Telecommunications company Optus was the victim of an attack in September which illegally accessed the data of 10 million customers. Some of them included driver’s license and passport numbers.
The Australian Federal Police are working with the FBI and other foreign intelligence partners to investigate the release of the “upsetting and highly personal information”, the agency said in a statement on Wednesday.
Hours later, Prime Minister Anthony Albanese said he was a Medibank customer but was not affected by the hack. Cybersecurity Minister Clare O’Neil called the hack “morally wrong” and called those responsible “scumbags” when addressing parliament on Thursday.