“Arming people’s private information to extort payments is malicious,” he said.
Medibank admitted on October 13 that it had been hacked. It later said the personal information of 9.7 million customers and 480,000 health records had been accessed.
The insurer announced on Monday that it would not pay a ransom for the confidentiality of the data. Information was released Wednesday identifying clients who had access to medical care, including addiction recovery and mental health care. Information on patients who had requested and performed an abortion followed on Thursday. On Friday, the Sydney Morning Herald reported the release of more sensitive data, this time linked to alcohol and mental health issues.
Details of medical procedures involving about 500 people were part of the two online file deletions, according to Conversation, a nonprofit news site. The Herald said the third drop – in a file titled “Boozy” – contained details about the care of 240 people.
Josh Roose, a political sociologist at Deakin University, said healthcare organizations are common targets of ransomware attacks. But they usually find their IT systems locked down, with a ransom demanded in exchange for regaining access.
On occasion, cybercriminals have accessed personal health information — including a security breach this summer involving more than 235,000 patients at Keystone Health in Pennsylvania. Rarely do cases escalate into the release of sensitive health information, Roose said.
“It’s obviously a pretty disgusting line of scrimmage,” he added. “And we know there are hackers targeting healthcare services for precisely this reason. It tells you a little bit about how bad things are getting and how effective hardcore this particular group is.
According to Roose, the ransomware attack on Medibank appears to be linked to a Russian hacking group. The data was published on a dark web forum affiliated with collective REvil, the Guardian reported, adding that the hackers had made a $10 million ransom demand.
Daile Kelleher, executive director of the reproductive rights organization Children by Choice, said there are many reasons – beyond mere invasion of privacy – why patients would not want others to know they have terminated a pregnancy.
Although abortion is legal in Australia, it remains “a fairly stigmatized form of healthcare,” and the release of data could put some women at risk, Kelleher said. “Our greatest concern has been the impact this could have on people who have faced reproductive coercion and abuse or domestic and family violence in their lives.”
The Medibank hack was the second high profile Attack of this kind in the country in recent months. Telecom company Optus was the victim of an attack in September that illegally accessed the data of 10 million customers. Some of these contained driver’s license and passport numbers.
The Australian Federal Police are working with the FBI and other foreign intelligence partners to investigate the release of the “disturbing and highly personal information,” the agency said in a statement on Wednesday.
A few hours later, Prime Minister Anthony Albanese said he was a Medibank customer but was not affected by the hack. Cybersecurity Secretary Clare O’Neil called the hacking “morally reprehensible” and called those responsible “scumbags” when she addressed Parliament on Thursday.