“The weaponization of people’s private information in an effort to extort payment is malicious,” he said.
Medibank acknowledged on Oct. 13 that it had been hacked. It later said the personal information of 9.7 million customers and 480,000 health claims was accessed.
The insurer announced Monday that it would not pay a ransom to keep the data private. On Wednesday, identifying information of customers who had accessed medical care, including for addiction recovery and mental health care, was released. That was followed on Thursday by information on patients who had sought and undergone abortions. On Friday, the Sydney Morning Herald reported the release of more sensitive data, this time related to alcohol and mental health issues.
Details of medical procedures involving about 500 people were part of the two online file drops, according to the Conversation, a nonprofit news site. The Herald said the third drop — in a file titled “Boozy” — included details on the care of 240 people.
Josh Roose, a political sociologist at Deakin University, said health-care organizations are common targets of ransomware attacks. But they usually find their IT systems locked, with a ransom demand in exchange for regaining access.
On occasion, cybercriminals have accessed personal health information — including a security breach this summer involving more than 235,000 patients of Keystone Health in Pennsylvania. Seldom do the cases escalate to the public release of sensitive health information, Roose said.
“It’s obviously a pretty disgusting line of attack to take,” he added. “And we know that there are hackers who deliberately target health services for precisely that reason. It tells you a little bit about how bad things are getting, and how, effectively, hardcore, this particular group is.”
According to Roose, the Medibank ransomware attack appeared to be connected to a Russian hacking group. The data was posted on a dark web forum linked to the collective REvil, the Guardian reported, adding that the hackers posted a demand for $10 million in ransom.
Daile Kelleher, chief executive of the reproductive rights organization Children by Choice, said there are many reasons — beyond the sheer violation of privacy — that patients would not want others to know they had terminated a pregnancy.
While abortion is legal in Australia, it remains “quite a stigmatized form of health care,” and the data release could put some women at risk, Kelleher said. “Our biggest concern was the impact that this could have on people who have reproductive coercion and abuse, or domestic and family violence, in their lives.”
The Medibank hack was the second high-profile attack of its kind in the country in recent months. Telecommunications company Optus was the victim of an attack in September, with the data of 10 million customers accessed illegally. Some of that included driver’s license and passport numbers.
The Australian Federal Police is working with the FBI and other foreign intelligence partners to investigate the release of the “distressing and very personal information,” the agency said in a statement on Wednesday.
A few hours later, Prime Minister Anthony Albanese said he was a Medibank customer but was not affected by the hack. Cybersecurity Minister Clare O’Neil called the hacking “morally reprehensible” and labeled those responsible “scumbags” when addressing Parliament on Thursday.