Those behind for the hack are believed to be in Russia, Australian Federal Police Commissioner Reece Kershaw said. “Our intelligence points to a group of loosely affiliated cybercriminals who are likely responsible for past significant breaches in countries across the world.”
The insurer, Medibank, had said in a statement that the data included names, addresses, dates of birth, phone numbers and email addresses. Chief Executive David Koczkar said the information’s release — after a demand for ransom money was rejected — was “an attack on the most vulnerable members of our community.”
“The weaponization of people’s private information in an effort to extort payment is malicious,” he said.
Medibank acknowledged on Oct. 13 that it had been hacked. It later said the personal information of 9.7 million customers and 480,000 health claims were accessed.
The insurer announced Monday that it would not pay a ransom to keep the data private. On Wednesday, identifying information of customers who had accessed medical care, including for addiction recovery and mental health care, was released. That was followed on Thursday by information on patients who had sought and undergone abortions. On Friday, the Sydney Morning Herald reported the release of more sensitive data, this time related to alcohol and mental health issues.
Details of medical procedures involving about 500 people were part of the two online file drops, according to the Conversation, a nonprofit news site. The Herald said the third drop — in a file titled “Boozy” — included details on the care of 240 people.
Josh Roose, a political sociologist at Deakin University, said health-care organizations are common targets of ransomware attacks. But they usually find their IT systems locked, with a ransom demand in exchange for regaining access.
On occasion, cybercriminals have accessed personal health information — including a security breach this summer involving more than 235,000 patients of Keystone Health in Pennsylvania. Seldom do the cases escalate to the public release of sensitive health information, Roose said.
“It’s obviously a pretty disgusting line of attack to take,” he added. “And we know that there are hackers who deliberately target health services for precisely that reason. It tells you a little bit about how bad things are getting, and how, effectively, hardcore, this particular group is.”
According to Roose, the Medibank ransomware attack appeared to be connected to a Russian hacking group. The data was posted on a dark web forum linked to the collective REvil, the Guardian reported, adding that the hackers posted a demand for $10 million in ransom. Other reports Friday said the amount had increased to $15 million.
Daile Kelleher, chief executive of the reproductive rights organization Children by Choice, said there are many reasons — beyond the sheer violation of privacy — that patients would not want others to know they had terminated a pregnancy.
While abortion is legal in Australia, it remains “quite a stigmatized form of health care,” and the data release could put some women at risk, Kelleher said. “Our biggest concern was the impact that this could have on people who have reproductive coercion and abuse, or domestic and family violence, in their lives.”
The Medibank hack was the second high-profile attack of its kind in the country in recent months. Telecommunications company Optus was the victim of an attack in September, with the data of 10 million customers accessed illegally. Some of that included driver’s license and passport numbers.
Prime Minister Anthony Albanese said Wednesday that he was a Medibank customer but was not affected by the hack. Cybersecurity Minister Clare O’Neil called the hacking “morally reprehensible” and labeled those responsible “scumbags” when addressing Parliament on Thursday.
In his comments to the media, the federal police commissioner said his force was “undertaking covert measures” and working with domestic agencies and international networks, including Interpol, in pursuit of the hackers.
