Australian health insurer’s customers data hacked and published

Last updated on November 12th, 2022 at 12:51 pm

Medibank, the largest health insurer of Australia’s client data was published by a hacker on Wednesday, including details of medical procedures of each individual, the company refused to pay a ransom in exchange to protect the personal records of almost 10 million former and current customers of it. The release of information of customers has been released on the dark web that appears to be a sample of the data that Medibank had previously said was stolen last month.

“This is a criminal act designed to harm our customers and cause distress,” Medibank CEO David Koczkar said in a statement reiterating a previous apology extended to customers. “We take seriously our responsibility to safeguard our customers and we stand ready to support them,” he added.

Cybersecurity Minister Clare O’Neil, who happens to be a customer of Medibank, has urged social as well as traditional media companies to prevent their platforms to be used to share people’s stolen medical histories. “If you do so, you will be aiding and abetting the scumbags who are at the heart of these criminal acts and I know that you would not do that to your own country and your own citizens,” O’Neil told Parliament.

“But I want the Australian people to understand that that is likely to change and we are going through a difficult period now that may last for weeks, possibly months, not days and hours,” O’Neil added.

Welcoming the decision to deny giving ransom to hackers by Medibank, Australian Prime Minister Anthony Albanese – who is also a customer of the company – said, “This is really tough for people. I’m a Medibank Private customer as well and it will be of concern that some of this information has been put out there.” PM Albanese added, “The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range.”  

A blogger using the name “Extortion Gang” had on Monday night posted on the dark web that “data will be publish (sic) in 24 hours.” The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed amount was paid, but Medibank decided there was “only a limited chance” that a ransom would prevent the data being published, according to The Associated Press.