October 21, 2022
Highly personal medical records have been stolen by the cyber ransomware gang that hacked Medibank’s customer database and is threatening to make the details public.
The “very specific’’ stolen data includes codes for medical conditions customers had been diagnosed with, and what treatment was prescribed.
This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
The devastating data breach at the nation’s largest private health insurer has been referred to the Australian Federal Police, as the criminals behind the attack ramped up pressure on Medibank by sending the company copies of 100 customers’ stolen records.
The Australian Signals Directorate and private cyber-security firms are also working with Medibank to determine what was stolen and how the attackers infiltrated the company’s systems.
Along with names, ages, addresses, Medicare and other identifying information which would facilitate fraud, the stolen data also includes publicly identifiable codes which, if made public, would identify diagnoses and procedures the individual had undergone. It also includes the locations of where people underwent procedures.
The 100 records are thought to be the tip of the iceberg and while the 200 gigabytes of data stolen was not huge in contemporary terms, the specific nature of the records makes it an extremely concerning breach of privacy.
The full details of the attack – coming less than a month after the records of 10 million Optus customers were stolen in a cyber attack – are yet to be revealed.
Medibank said it had so far identified the breach as affecting customers of its ahm health insurance subsidiary and student services systems.
But with 3.9 million current customers, and Medibank confirming it was required to hold data for seven years, meaning former customers will likely be affected, the scale of the breach is expected to grow significantly.
Chief executive David Koczkar told The Australian the medical data collected was extremely detailed. “The data is very specific to the procedure,” he said. “We know people are going to be very anxious, we absolutely hear that.”
Mr Koczkar said the incident was now subject to an investigation by the AFP, following a ransom demand made by the hackers who threatened to release details on high-profile customers.
“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc). Also we’ve found people with very interesting diagnoses. And we’ll email them their information,” the ransom demand stated.
Home Affairs Minister Clare O’Neil said while credit cards could be replaced, making “private, personal health information available to the public was a dog act”.
“That is why the toughest and smartest people in the Australian government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens,’’ she said.
“I spoke to the Medibank CEO again for the second time this morning, and we made an agreement that officers from the Australian Federal Police and Australian Signals Directorate will locate themselves within Medibank to make sure we have every possible support to Medibank.”
Opposition cyber security spokesman James Paterson said the attack “has all the hallmarks of a very serious cyber incident”.
“The likelihood that highly sensitive and private medical information of Medibank customers has been stolen is very concerning,’’ he said.
Fergus Hanson, director of the International Cyber Policy Centre at ASPI, said while it seemed likely cyber-criminals were behind the Medibank attack, malicious state actors would also be interested in the information, particularly the private medical records, which could be used to extort or intimidate government officials and members of parliament.
He said the type of data stolen from Medibank was both “very sensitive’’ medical information, and enough personal information to facilitate fraud and identity theft. Mr Hanson said Australia was being specifically targeted by ransomware gangs because many Australian businesses paid ransoms, and law did not specifically outlaw such payments.
“The Australian Cyber Security Centre’s guidelines are not to pay ransoms, but no one has ever been prosecuted for paying a ransom,’’ he said.
The issue was a legal grey zone, with other laws relating to dealing with organised crime potentially coming into play.
The Australian is not suggesting Medibank has paid, or is contemplating, paying a ransom.
“We are in a death spiral situation because we pay, then we get attacked and we pay and it goes on,’’ Mr Hanson said of the Australian cyber threat environment.
“Absolutely, companies pay ransom every day, it’s a very common problem. Government doesn’t respond to threat or extortion so I would be very surprised if they did (pay ransom) – certainly there are no known cases.’’
Ms O’Neil said the formal advice from government was “don’t pay a ransom’’. Asked if it was illegal to do so, she replied “no.’’ “Unfortunately, we are in a waiting game now,’’ she said.
“We’ve got criminal activity on foot. We’ve got essentially a crime being committed before our very eyes and we need to do everything we can to support Medibank.”
She said the second major breach of Australians data in just a month demonstrated “this is the new world for us” and that Australia needed to “do better”.
“We’re living in a digital age and the truth is that cybercrime is rising significantly all over the world,” she said.
“Interpol … have just made an announcement that cybercrime is their No. 1 crime concern. What it tells me is that we need to do better as a country. I think we’re in the order of five years behind where we need to be on our cyber laws and our policies and our approaches.”
Robert Potter, co-founder and CEO of Internet 2.0, said Australian businesses were being targeted every day. “It has been happening this way for years but now it’s been pushed into the public domain, people have a greater awareness,’’ he said.
Mr Potter said a balance needed to be reached between advising people their private data had been stolen, meeting mandatory reporting obligations, but not inadvertently helping criminal cyber gangs, who used publicity to help pressure companies into paying ransom.
“Public accountability is important,’’ he said, but added “so is closing down the global ransomware industry.’’
Mr Potter said media reporting of the specific threat made by the cyber gang attacking Medibank was “less than helpful”.
“We should treat it like a hate crime and not give them airtime. The focus should be on the victims,’’ he said.
Mr Potter will attend a global ransomware summit at the White House next week with Ms O’Neil and Department of Home Affairs secretary Mike Pezzullo.
Medibank has gone into a trading halt while it responds to the attack.
The company is contacting affected customers, has set up hotlines, and has mental health professionals available 24/7 to assist customers. “Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly,’’ it said.
