Client data from Australia’s largest health insurer has been released by an extortionist, including details of HIV diagnoses and drug abuse treatments, after the company refused to pay a ransom for the personal records of almost 10 million current and former customers.
Medibank said the material released on the dark web appeared to be a sample of the data that it revealed was stolen last month.
The firm expects the thief will continue releasing data.
Reiterating a previous apology to customers, Medibank CEO David Koczkar said: “This is a criminal act designed to harm our customers and cause distress.
“We take seriously our responsibility to safeguard our customers and we stand ready to support them.”
The data included what the thief called a “naughty list” of more than 100 names. Among them were patients who had contracted HIV and others who were treated for addictions to drugs and alcohol and for mental health problems.
One of the exposed customers contacted by Nine News television responded with anger toward Medibank.
“Letting customers discover their most sensitive information imaginable has been published and hearing it on the news, Medibank’s response has been pathetic,” the unidentified man, whose image was not broadcast, told Nine.
Australian cyber security Minister Clare O’Neil, who is a Medibank customer and has had personal data stolen, urged social and traditional media companies to prevent their platforms from being used to share people’s stolen medical histories.
“If you do so, you will be aiding and abetting the scumbags who are at the heart of these criminal acts and I know that you would not do that to your own country and your own citizens,” Ms O’Neil told parliament.
She said the number of people whose medical information has been released was “small at this stage”.
“But I want the Australian people to understand that that is likely to change, and we are going through a difficult period now that may last for weeks, possibly months, not days and hours,” Ms O’Neil added.
Prime Minister Anthony Albanese, who is also a Medibank customer, welcomed the company’s refusal to pay the hacker to have the records returned.
“This is really tough for people. I’m a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” Mr Albanese told reporters, referring to a Medibank brand.
“The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range.”
The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed amount was paid, but Medibank decided there was “only a limited
chance” that a payment would prevent the data from being published.
A blogger using the name “Extortion Gang” posted on Monday night on the dark web that “data will be published in 24 hours”.
Medibank this week updated its estimate of the number of people whose personal information was stolen from four million two weeks ago to 9.7 million.
The stolen data includes health claims of almost 500,000 people including diagnoses and treatments, the company said.
The theft of the personal records of 9.8 million customers of Optus, Australia’s second-largest wireless telecommunications carrier, that was discovered on September 21 prompted the Australian government to promise heftier penalties for corporations that fail to protect private data.
The country’s house of representatives passed an urgent bill that would increase penalties for serious breaches of the Privacy Act from 2.2 million Australian dollars (£1.2 million) to 50 million Australian dollars (£43 million) or more.
The government hopes the bill will be passed by the senate and become law this month.