When the Australian health insurer Medibank Private Ltd. was hit with a ransomware attack last month, it provided regular updates to its customers, including the revelation that personal information from nearly 10 million of them was exposed. It also followed the government’s guidance on how to respond to the extortion demand.
Medibank didn’t pay the ransom. But that plan hasn’t worked out so well.
Following through on a threat, the hackers began publishing the most private medical details of some of Medibank’s customers, including terminated pregnancies, treatment for drug and alcohol addiction and heart attacks, according to a cybersecurity analyst, victims who have spoken publicly about the incident and local media reports.
About 1,000 patients have already had deeply personal data revealed on dark web forums, according to Medibank, and the hackers, who Australian authorities believe are Russian, have warned that more is coming.
“Unfortunately we expect the criminal to continue to release stolen customer data each day,” said David Koczkar, Medibank’s chief executive officer.
Medibank’s experience represents a nightmare scenario for companies and organizations attacked by ransomware, a type of cyberattack in which a victim’s data is encrypted until a payment is made to unlock it. Many ransomware gangs now steal data too and threaten to release the information unless payment is made. Despite guidance from government agencies, including the FBI, not to pay ransom demands, many victims end up doing so, including Colonial Pipeline Co., after a ransomware attack last year forced it to shut down a pipeline that provides fuel to the US East Coast.
Koczkar said in a statement that the company had been warned there was only a limited chance the data would be returned and not published even if they paid. The hackers sought $1 for every patient, or about $10 million, according to the Sydney Morning Herald.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar said.
Emily Ritchie, a Medibank spokesperson, said the company wasn’t doing interviews “because the criminal is watching our every move, and we are trying to be really careful to not fuel the criminal.”
There have been other instances where hackers have released personal data, though it is unusual for such personal medical information to be exposed. In one episode disclosed in 2020, hackers breached a privately run psychotherapy center in Finland called Psykoterapiakeskus Vastaamo Oy and stole patient information, including session notes. The hackers extorted the center and individual patients for money, and distributed some data online.
The online leaks from the Medibank hack have so far revealed scores of phone numbers, addresses, dates of birth, billing codes, ID numbers and full names of the people who’d been impacted, according to some documentation viewed by Bloomberg News and reported in Australian media. Databases labeled “abortions,” “good list,” “students” and “naughty list” were among those found on the dark web, according to screen shots shared with Bloomberg. Another labeled “boozy” included patients who have sought help for alcohol dependency, according to CNN.
“When you consider both the sensitivity of the information and the massive number of individuals, this is one of the worst –if not the worst — breaches to ever have happened,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft.
Meredith Griffanti, co-head of cybersecurity and data privacy communications at FTI Consulting, said her firm counsels hacking victims to not talk publicly about their decision on whether to pay a ransom. The hacking groups are tuned into the public responses of victims and media coverage, and if they feel like they aren’t getting what they want, “they’re going to do everything they can to make the ‘naming and shaming’ and/or extortion process as painful as possible,” she said.
“To put it bluntly, don’t antagonize the bad guys,” Griffanti said.
In Australia, meanwhile, people fretted about what information about them might be posted on the dark web and expressed disgust at the data that was already exposed.
David Shoebridge, a state senator for the environmental Greens Party said on Wednesday that “like millions of Australians, I’ve been left in the dark as to precisely what data of mine and my family has been obtained by the hackers.”
“This has moved from a theoretical problem to a very personal problem,” he told Bloomberg. “Obviously you’re anxious about it and you have a sense of betrayal both by Medibank, and also by the Australian government in not ensuring that there are adequate protections in the first place.”
Kat, a woman in her mid-30s who works in human resources, posted on social media that she was among those whose data had been compromised.
Her health information isn’t “something I’m necessarily embarrassed about,” she told Bloomberg by phone. But she added, “I read that there’s an abortion list and people being good and bad. That’s completely horrific, something that might not have been discussed with family or even your partner but is now freely available is incredibly concerning.” She requested anonymity to discuss personal information.
Before the data was leaked, Medibank had told local media that it didn’t have cyber insurance, which sometimes covers the cost of ransom payments. It’s the policy of the Australian government that ransomware victims not pay, said Home Affairs Minister Clare O’Neil.
“The cyber thugs responsible for the Medibank cyber incident have weaponized medical information – particularly women’s – relating to some deeply personal, private matters,” she posted on Twitter on Friday. “It’s sickening and morally reprehensible.”
On Sunday, O’Neil said it was “pretty clear that Medibank was right not to pay the ransom,” because of the hackers’ subsequent release of the material. “The idea that we will trust these people to delete data that they have taken off and may have copied a million times is frankly silly,” she said in an interview on an ABC News program.
On Friday, the Australian Federal Police attributed the attack to a “group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.”
“We believe those responsible are in Russia,” AFP Commissioner Reece Kershaw said in a televised statement, adding that they would be holding talks with Russian law enforcement about the attacks. “We know who you are.”
The Medibank hack was one of several major cybersecurity incidents Australian companies had reported in recent weeks. In late September, Singapore Telecommunications Ltd.’s Optus unit disclosed a vast leak of data on past and present customers. A ransom was demanded in that case as well, but it was later retracted by the alleged hacker.
Melbourne-based Australian Clinical Labs Ltd. reported in October that data on almost 250,000 patients and staff had been accessed in February. Health records and credit card details were among the information that was compromised, it said.
(Corrects the spelling of Meredith Griffanti’s name in 13th paragraph.)
–With assistance from Keira Wright and William Turton.