Medibank has warned that more customer data stolen by hackers, including passport numbers, will be uploaded to the dark web after the first files are deleted overnight.
The data droplet includes names, dates of birth, addresses, email addresses, phone numbers, health claim information, Medicare numbers for Medibank’s ahm customers, and passport numbers for international student customers.
The leak comes after Medibank customers raised concerns about the sensitivity of the data that could be released, particularly on children, people with sexually transmitted diseases and drug addicts.
Adult Medibank customers are now at risk of being scammed or socially stigmatized if their health records become public.
Children (who can’t provide input about the plans their parents sign them up for or what health conditions are revealed) are also at additional risk if they find themselves in a family violence situation if their home address or the location of the health care service has been exposed publicly.
Medibank previously confirmed to the TBEN that some of the stolen data the hacker had already shared with the company included customers under the age of 18.
There are serious concerns that digital criminals will misuse the data, which appeared on a ransomware group’s blog under “good list” and “naughty list” in the early hours of Wednesday.
The naughty list contained the details of the treatment of, among other things, alcohol abuse, drug use and anxiety for 100 Medibank customers.
The good list reveals private information about clients being treated, including treatments for prostatitis, gastric band removal, cataracts, and colitis.
Albanian supports Medibank
Medibank has promised to tell customers what data it believes has been stolen, if any of their data is included in the files on the dark web, and advice on what to do.
Cyber Security Minister Clare O’Neil labeled the hacking as the “lowest low”, noting that while only a small amount of people’s personal health information had been shared so far, that was likely to change.
“I cannot express the horror I have for the bastards who are at the heart of this criminal act,” she told parliament.
“People have a right to keep their health information private, even among ransomware attackers, the idea of disclosing other people’s personal medical information is considered nonsensical.”
Ms O’Neil said Australian cybersecurity was five years behind when it needed to be and the government was working hard to rectify that.
The Australian Federal Police have expanded their joint initiative with the State and Territory Police set up to investigate the September Optus data breach to also address the Medibank hack.
“Operation Guardian will actively monitor the bright, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said TBEN Assistant Commissioner Cyber Command Justine Gough.
“This is not just another attack on an Australian company. Law enforcement agencies around the world know that this is a crime type that has no borders and requires sharing of evidence and capabilities.”
Medibank had rejected the hacker’s demand to pay a ransom in exchange for not releasing the data.
Prime Minister Anthony Albanese said he agreed with Medibank’s decision, even though he was among the millions of Australians who were customers.
His private information has not yet been leaked.
“This is very difficult for people,” he said.
“I am also a Medibank Private customer and it will be concerning that some of this information has been published there.”
More leaks to come
The ransomware group indicated in a message from AAP that it was releasing data bit by bit due to its complexity.
“Looking back at the fact that data is stored in a not very comprehensible format (table dumps), we’ll take a moment to sort it out,” the listing reads.
“We will partially continue to post data, we need some time to make it beautiful.”
The hackers also appeared to have released screenshots of private messages recently exchanged with representatives of Medibank.
Medibank has previously confirmed that details of nearly 500,000 health claims were stolen, along with personal information, after the unnamed group hacked into its system weeks ago.
About 9.7 million current and former customers are affected.
No access to credit card or bank details has been obtained.
Deputy Liberal leader Sussan Ley called on the government to release funds earmarked by the former coalition to bolster companies’ defenses against hackers.
“Release the $60 million in funding that we set aside in grants that would go to organizations to make them more resilient to cyberattacks,” she told reporters.
“We need a plan to address the concerns of ordinary Australians, especially when their sensitive health information has been leaked.”
– with AAP