Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
business reporters Emilia Terzon, Rhiana Whitson, Samuel Yang and Michael Janda

Medibank hackers target high-profile drug and mental health patients as AFP steps up action

Medibank customers remain in the dark about whether any of their personal information is among that leaked onto the dark web by hackers.

It appears the cybercriminals have published what they have termed "naughty" and "nice" lists of prominent people among the leaked data.

The ABC understands from multiple reliable sources that the "naughty" list includes around a hundred individuals, many with well-known surnames, who have undergone treatment for drug or alcohol use, or for mental health issues such as eating disorders.

Sam Biondo, the chief executive of the Victorian Alcohol and Drug Association, said the release of such private information could cause a lot of harm for the people affected.

"This was extremely concerning given the stigma that's associated with individuals who have alcohol or drug issues," he told ABC News.

"They are vulnerable in many ways, given that they've sought help for a problem that they've got."

The ABC has been told the information now on the dark web also includes raw and extremely limited information for around 5 million Medibank customers.

Medibank has admitted the data of 9.7 million past and former customers was breached when hackers gained access to a database of its three brands: Medibank, its budget brand ahm, and its international student arm, ohm.

Cyber security expert Troy Hunt said it is clear a lot of personal data has now been released by the hackers.

"It does appear to be legitimate," he told ABC News.

"I have just seen someone tweeting that the information that they found there about themselves was was accurate.

"I don't know how many individuals are actually impacted in the data that's been leaked already. But several hundred megabytes worth of text is actually quite a bit of data."

Medibank warned on Wednesday that it expected further data leaks from the cybercriminals as it continues to refuse ransom demands.

'Lack of communication'

Meanwhile, Medibank's customers are uncertain about whether any of their data is now in the public domain.

"Our team is working around the clock so we can inform customers about their data we believe to have been stolen, and remind them of the support available," Medibank chief executive David Koczkar said on social media platform LinkedIn.

"We’ve begun to analyse the data released on the dark web and will contact those affected customers. This is a complex process and may take some time."

However, long time Medibank customer Juliann Adriani is disappointed with the level of communication from the health insurer so far.

"What I'm very concerned about is the lack of communication, particularly to people that don't have access to social media or to email," she told ABC News.

"My father is 81 years old and he has had not one scrap of correspondence from Medibank Private, despite being a valued customer for a very, very long time."

For Ms Adriani, the lack of information has been very stressful, amid fears she is vulnerable to identity theft as a result of the stolen data.

"A feeling of dread and fear for unknown."

Mohique Gajdhar has no idea if his data has been published, has not been directly contacted by Medibank, and is concerned about the potential publication of his health data.

"Because that is a very private thing and that should not have been leaked and can be misused," Mr Gajdhar said.

"What prescriptions I take, what doctors I have been to, any medical procedures I may have had, all of that data could be leaked."

Like other international students he was required to get private health insurance to study in Australia.

"We pay a hefty amount to Medibank," he said.

"The federal government, the AFP, everyone should make sure this does not happen again and give assurances to international students that their data will be safe."

Australian Federal Police (AFP) Cyber Command Assistant Commissioner Justine Gough told reporters that it was potentially unlawful for even those who fear they may have had their details published online to access the leaked files to check if their details are there.

"They could be committing crimes themselves, because there are some privacy considerations and privacy laws that could be being breached," she cautioned.

'Scum of the earth'

Prime Minister Anthony Albanese is one of millions caught up in the data breach.

“This is really tough for people. I am a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” he said at a press conference on Wednesday morning.

“The company has followed the guidelines effectively. The advice is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range.

“But we will, through [home affairs minister] Clare O’Neil, be responding extensively about this. We are concerned and we will continue to monitor what is occurring.”

The AFP said it has stepped up Operation Guardian, in conjunction with state and territory police, in order to try and protect customer data.

"Overnight when information was unlawfully released online, the AFP immediately took action, including undertaking covert techniques," Ms Gough said.

"Investigators within AFP's Cyber Command are working with public and private sector agencies to scour the internet and known criminal online sites to identify those who are buying or selling personal identification information.

"It is an offence to buy stolen information online, which could include the penalty of up to 10 years imprisonment. It is also an offence to blackmail and minister customers."

Ms Adriani hopes the AFP do track down the people behind the hack.

"I think they just the low scum of the earth, basically," she said.

"I don't know what would drive anybody to do this. Apart from being really horrible people."

Law firms circle with class action

Medibank revealed on Monday that the data, which includes the name, date of birth, address, phone number and email address, of nearly 10 million current and former customers were exposed and may have been stolen.

But it rejected the ransom demand from the criminal which the health insurer received "several weeks ago".

Mr Koczkar said the ransom amount was "irrelevant" and paying up would only increase risk of further extortion.

The hacker also accessed the health claims of about 160,000 Medibank customers, about 300,000 claims from customers of offshoot ahm and about 20,000 international customers.

But credit card and banking details and primary identity documents of local customers were not accessed, the company said.

Meanwhile, two law firms, Bannister Law and Centennial Law, are investigating the terms of the contracts the medical insurance provided to customers and whether damages are appropriate.

They believed Medibank betrayed customers and breached the Privacy Act by not stopping the hack.

No case has yet been filed with a court.

All Medibank and ahm customers have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.

Medibank said its customers could also speak to experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.