Canberra: Medibank Client data, including details of individuals’ medical procedures, was released by a hacker on Wednesday after Australia’s largest Health insurer Refused to pay ransom for personal records of nearly 10 million current and former customers.
The release of information on the dark web appeared to be a sample of data that Medibank had previously determined had been stolen last month, one of the companies said. Medibank expected that the thieves would continue to release the data.
“This is a criminal act designed to harm and cause distress to our customers,” Medibank CEO David Kozkar said in a statement reiterating earlier apologies to customers.
“We take our responsibility to protect our customers seriously and we stand ready to support them,” he added.
Cyber Security Minister Claire O’Neill, who is a Medibank customer and has had personal data stolen, urged social and traditional media companies to stop using their platforms to share people’s stolen medical history.
“If you do that, you will be aiding and abetting the scoundrels at the heart of these criminal acts and I know you will not do that to your own country and your own citizens,” O’Neill told parliament.
She said the number of people whose medical information was compromised “is low at this point.”
“But I want Australians to understand that there is potential for change and we are now going through a difficult period that will last weeks, possibly months, not days and hours,” O’Neill added.
Prime Minister Anthony Albanese, who is also a Medibank customer, welcomed the company’s refusal to pay to return the records to the hacker.
“This is really difficult for people. I am also a private customer of Medibank and it would be worrying that some of this information is put out there,” Albanese told reporters, referring to the Medibank brand.
“The company has effectively followed the guidelines, the advice, which is not to engage in ransom payments. If you go down this road, then you will potentially face a wider range of difficulties,” Albanese added.
The thieves threatened to expose the diagnoses and treatments of high-profile customers unless an undisclosed ransom was paid, but Medibank decided there was “only a limited chance” the ransom would prevent the data from being published.
A blogger using the name “Extortion Gang” posted on the dark web Monday night that “data will be published (sic) in 24 hours.”
Medibank this week updated its estimate that the number of people whose personal information was stolen rose to 9.7 million from 4 million two weeks ago. The stolen data included health claims for about 500,000 people, including diagnoses and treatments, the company said.
