A cyber-extortionist has leaked details of Australians’ medical histories online after a private health insurer refused to pay a ransom for the hacked records of almost 10 million customers.
Medibank said on Wednesday it expected more customer data to be released after the extortionist posted personal information, including names, addresses, and details of medical procedures, on a dark-web forum.
Local media reported that the data was posted on a forum linked to REvil, a ransomware crime group that Russian authorities reported shutting down earlier this year at the request of the United States.
Medibank CEO David Koczkar said in a statement the leak was “designed to harm our customers and cause distress” and reiterated an earlier apology to customers over the cyberattack.
Medibank reported that it had been subject to a cyberattack last month, estimating initially that four million customers had been affected before revising the figure to 9.7 million.
“It’s always a shock to have your data leaked online, particularly this volume of this sensitivity,” Troy Hunt, a cybersecurity expert and Microsoft regional director in Australia, told Al Jazeera.
“Unfortunately, if you want health insurance then they need to store precisely this sort of info.”
Prime Minister Anthony Albanese said the government was working with authorities to respond to the cyberattack, which follows a string of recent data breaches in Australia, including at the country’s second-biggest telecom company.
“This is really tough for people,” Albanese told a news conference. “I’m a Medibank private customer as well, and it will be of concern that some of this information has been put out there.”
On Monday, a blogger using the name “Extortion Gang” posted a message on the dark web threatening to publish the hacked data within 24 hours if a ransom was not paid.
Medibank said that it consulted with cybercrime experts before determining that paying the ransom would not ensure the return of customers’ data and could put “more people in harm’s way by making Australia a bigger target”.
Cybersecurity Minister Clare O’Neil said Medibank’s decision not to pay was consistent with government advice and urged social media platforms and media organisations not to facilitate the sharing of stolen medical histories.
“If you do so, you will be aiding and abetting the scumbags who are at the heart of these criminal acts and I know that you would not do that to your own country and your own citizens,” O’Neil told parliament.