Medibank: For refusing to pay ransom, hackers are now leaking stolen health data

Medibank: For refusing to pay ransom, hackers are now leaking stolen health data(Source – Shutterstock)

Another hack in Australia as four million Medibank customers data exposed

  • Medibank said all the personal data belonging to its customers, its AHM division, and every international-student client were compromised.
  • The hack is likely to cost the company a minimum between $25m and US$35 million.

Last week, Australia’s largest private health insurance company, Medibank, admitted it had as much as 200 gigabytes of data stolen from its servers, including “the location of where a customer received medical services, and codes relating to their diagnosis and procedures”. This week, the company highlighted that the hack has compromised its entire clientele, involving almost four million customers.

The update by Medibank had significantly escalated the cyberattack spell that has been ongoing in Australia lately. In a filing to the Australian Stock Exchange, the company said the investigation into the breach has now established the hacker had access to all Medibank, AHM and international student customers’ personal data, and significant amounts of health claims data. 

The personal information includes name, address, date of birth, some Medicare card numbers and gender. The health information includes the claim codes made by customers. It is fair to note however that Medibank still can’t definitely say how many or which customers are affected beyond the 1,000 records provided to the insurer by the hacker in the past two weeks. So far, it is through this communication with the hacker that Medibank has been able to determine the extent of the breach.

Because state and territory health record laws require the company to keep data for seven years, Medibank confirmed that the breach will also affect former customers. As of June 30, the company had 3.96 million customers. The hack is likely to cost the company a minimum between US$25 million and US$35 million, Medibank said. The large amount is mainly due to Medibank not having cyberattack insurance, and estimated cost does not include customer compensation or regulatory or legal costs that may be brought against the company.

With the extent of the attack still unclear, Medibank withdrew its guidance for policyholder growth this financial year. Separately, Bloomberg Intelligence’s Matt Ingram and Jack Baxter also said, “Medibank’s data breach could cost over A$200 million. Premium hike suspensions and possible compensation of A$500-A$20,000 for each policyholder hurt by the breach are the main drivers. Theft of international student medical data may result in foreign government sanctions. 

Experts are largely believing that Australian organizations are being targeted for a new ‘cyber’ twist on ages old crimes. The most recent, as per Reuters report, is Australian Clinical Labs which said that its Medlab Pathology business suffered a data breach that affected about 223,000 accounts. The incident marks corporate Australia’s fourth major hack since September.

To recall, besides Medibank, the country’s second-largest telco Optus and retailer Woolworths Group’s majority-owned online retailer MyDeal were also hit by breaches that compromised the data of millions of customers. Synopsys head of solutions strategy for APAC Phillip Ivancic reckons that the theft of highly valuable personal information, with the goal of extracting financial gain, is becoming more common in Australia. 

“Overseas criminal groups are attempting to exploit vulnerabilities in internet facing systems to “on-sell”, for lack of a better word, personal data to other cyber criminals to exploit in future. Although a relatively recent and high-profile phenomenon in Australia, these types of crimes have been going on globally for quite some time,” he said in an email statement. He also noted that from the recent data breaches, it is obvious that attackers are using continuous and automated tools to look for weaknesses in production, internet-facing applications and, believes, Australian organizations should too. 

“That way, if something changes from one day to the next day, you can pick up on it early and correct it. Dynamic application security testing (DAST) solutions are designed to be production safe, because clearly attackers are exploiting production applications and internet facing systems. A carefully chosen DAST solution will ensure your publicly facing web applications, and any APIs within those web applications, are being continuously monitored for new vulnerabilities,” he concluded.

In the light of the recent events, Australian Attorney General Mark Dreyfus reckons the country needs better laws to regulate how companies manage the large amount of data they collect and bigger penalties for “repeated or serious privacy breaches”.Dreyfus said he will fast-track amendments to the Privacy Act when federal parliament resumes next week. 

According to Bloomberg, the legislation will boost the maximum penalty for serious or repeated privacy breaches to A$50 million (US$32 million); three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period, whichever is greater. The current level is a A$2.22 million penalty.