The personal data of hundreds of Australians have been posted online after being stolen last month from the country’s largest health insurer, Medibank, and after demands for a ransom from the company.
A sample of the data from 9.7m Medibank customers was released yesterday when the insurer refused to pay the ransom, reports BBC News.
Some health claims information, including medical procedure history, was released, along with names, addresses, birthdates and government ID numbers.
Australian Federal Police has warned those whose data have not yet been released that they are at risk of blackmail.
“Please do not be embarrassed to contact police… if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” said Assistant Commissioner Justine Gough.
All customers affected are also at risk of phishing scams, she said.
Medibank has apologised for “malicious weaponisation” of private information, and promised to work “around the clock” to inform customers whose information has been published.
Home Affairs Minister Clare O’Neil, who has previously said Australia is “a decade behind” in cybersecurity, has defended Medibank, saying the company followed government advice in not paying the ransom to the “scumbags” behind the theft.
The stolen Medibank data were posted on a blog linked to Russian ransomware group REvil, local media report. More data will be posted soon, the blogpost says.
Medibank says the information was obtained after login details allowing access to all of its customer data was stolen.
While millions have been affected, the most serious breach was for around 500 000 customers who have had private health information stolen, Medibank said, adding no credit card or banking details were accessed.
In September, Australian telecommunications giant Optus was also targeted for extortion, after the personal information of about 10m customers was stolen in what the company called a cyber-attack.
See more from MedicalBrief archives:
SA has highest percentage of human error healthcare data breaches – report
Medical providers most likely to be the culprits in health data breaches
Medical practitioners’ duties to safeguard patients’ information in terms of POPI
US Congress grills Facebook over patients’ health data privacy breach