Medibank hackers release Australian health insurer’s stolen customer data online

Information including details of people's medical procedures was released on the dark web after the company refused to pay a ransom

A Medibank Private branch in Sydney, Australia. The attack on Medibank exposed the data of about 9. 7 million current and former customers. Bloomberg
Beta V.1.0 - Powered by automated translation

Client data from Medibank, Australia's largest health insurance provider, has been published after the company refused to pay a ransom for the personal records of almost 10 million customers.

The information — including details of people's medical procedures — was released on the dark web on Wednesday.

It appeared to be a sample of data from current and former customers that Medibank said had been stolen last month.

Medibank said it expected the thief to continue releasing data.

“This is a criminal act designed to harm our customers and cause distress,” said Medibank chief executive, David Koczkar.

“We take seriously our responsibility to safeguard our customers and we stand ready to support them.”

Prime Minister Anthony Albanese, a Medibank customer and one of those who had personal data stolen, said he welcomed the company’s refusal to pay the hacker to have the records returned.

“This is really tough for people. I’m a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” Mr Albanese said.

A computer and phone display pages from Medibank Private. The health insurer has ruled out paying a ransom for stolen customer data. AP

“The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range.”

The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed amount was paid, but Medibank decided there was “only a limited chance” that a ransom would prevent the data being published.

A blogger using the name Extortion Gang posted on the dark web that “data will be publish (sic) in 24 hours”.

Medibank this week updated its estimate of the number of people whose personal information was stolen from four million two weeks ago to 9.7 million.

The stolen data included health claims of almost 500,000 people including diagnoses and treatments, the company said.

Updated: November 09, 2022, 7:35 AM