Hackers put stolen medical records relating to abortions on the dark web on Thursday after Australia’s largest health insurer refused to pay them a ransom. The extortionists, described by a government minister as “scumbags”, are demanding AU$14m (£8m) from Medibank to stop leaking stolen information about clients.
The hackers posted a file labelled “abortions” on a dark web blog that is linked to ransomware crime group REvil, which some experts say has links to Russia.
The data in the file is understood to include procedures claimed for by policyholders in relation to the termination of pregnancies, including non-viable pregnancies, ectopic pregnancies, molar pregnancies, miscarriages, and readmission for complications.
Medibank said in a statement that the hackers “released an additional file on a dark web forum containing customer data that is believed to have been stolen from our systems. These are real people behind this data, and the misuse of their data is disgraceful and may discourage them from seeking medical care.
“Given the data’s sensitive nature, we’re asking the media and others to support our ongoing efforts to minimise harm to customers, and not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly,” it said.
The hackers have already published what they called a “naughty list” of people who appeared to have undergone treatment for drug addiction, alcohol abuse, or HIV.
Medibank says the details of almost 500,000 health claims have been stolen, along with personal information, after the unnamed group hacked into its system weeks ago. David Koczkar, chief executive of Medibank, said the release of the information was “disgraceful”.
“We take the responsibility to secure our customer data seriously and we again unreservedly apologise to our customers,” he said. “The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.
“These are real people behind this data, and the misuse of their data is deplorable and may discourage them from seeking medical care.”
Australia’s cybersecurity minister Clare O’Neil told parliament that the response of authorities and public agencies included “placing protective security around government data, state police working with affected individuals, the organisation of mental health support and counselling, and putting in place management plans around people who have some very specific vulnerabilities”.
Ms O’Neil also pledged that the police would track down those behind the hack, saying: “I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming up to you.”
Addressing parliament, she said: “I want to say, particularly to the women whose private health information has been compromised overnight – as the minister for cyber security, but more importantly, as a woman – this should not have happened, and I know this is a really difficult time.”
She said that she had spoken twice with Mr Koczkar and made “abundantly clear the expectations of the Australian community about what this company owes to its customers given what has transpired here”.
Conversations between the hackers and Medibank, which have been published with the data dumps, show that the operation was initially intended to be a ransomware attack that would have denied the company access to its own customer records. But the hackers said they ran out of time to encrypt Medibank systems with ransomware, so fell back on the plan to monetise the data that had already been stolen.
On social media, women banded together to condemn the hackers’ release of sensitive medical information. One user wrote on Twitter: “The fact that the names and addresses of women who’ve had abortions were compromised in the Medibank data breach, in a separate file called ‘abortions’ is terrifying.”
Another user said: “The Medibank medical data is only ‘embarrassing’ because we consider it such. The hackers would have nothing if we all could agree on one thing: reaching out for medical help is never embarrassing, whatever the problem. It’s the opposite – a sign of strength and overcoming.”
David Shoebridge, from New South Wales, posted on Twitter: “Like millions of other Australians, my family was caught up in the Medibank breach & today we’re learning our personal data is on the dark web. Our worst data breach nightmares are playing out in real time, as our existing laws & data protection systems are no match for hackers.”