Home Affairs Minister Clare O’Neil has warned the “scumbag” hackers leaking sensitive Medibank patient information to the dark web could continue to drip-feed the data for months.
In a statement to Parliament, she’s also issued a clear warning to social media companies not to publish the confidential medical records.
“People are entitled to keep their health information private, even amongst ransomware attackers, the idea of releasing personal medical information of other people is considered beyond the pale,’’ Ms O’Neil said.
“So make no mistake about it, this is not just any ordinary group of criminals, this is the lowest of the low.
Ms O’Neil said law enforcement agencies including the Australian Federal Police and national security experts at the Australian Signals Directorate, were “the best in the world” and were working to help protect Australians.
“I know I do not need to point out the importance of social media companies not allowing this information to be published and not allowing it to be shared on your platforms and to traditional media companies, to not rubbish the private information of Australians,’’ she said.
“If you do so, you will be aiding and abetting the scumbags at the heart of these criminal acts and I know you would not do that to your own
country and I’d citizens.
“The Prime Minister said this morning that he is a Medibank customer like millions of other Australians, I am too. “
She warned Australians were about “five years behind where we should be with regard to cyber security and there is a power of work under way at the moment to change that.”
“We are working hard to protect you and to protect our country,’’ she said.
Russian hackers start releasing sensitive information
This comes as drug addicts and patients who have undergone weight loss surgery are having their confidential Medibank records dumped on the dark web.
Hackers have started posting the information today to a “naughty-list” that includes the details of dozens of Australian patients being treated for cannabis dependence or opioid addictions.
The shock development has prompted a plea from the Albanese Government that Australians do not share the sensitive information on social media channels.
Nearly 100 people on a “nice” list by hackers have had their medical treatment for prostatitis, a disorder of the prostate gland usually associated with inflammation.
Prostatitis is not contagious and is not an STD. Symptoms include urinating more often, burning or stinging during urination, pain during urination, and fever and chills.
Other medical treatment information leaked by the hackers include gastric band removal, mental health treatment and alcohol abuse.
“This is really tough for people,’’ Prime Minister Anthony Albanese said.
“I am a Medibank Private customer as well and it will be of concern that some of this information has been put out there,’’ he said.
The release of Medibank data
Medibank, the nation’s largest health insurer, issued a chilling warning to customers that sensitive death data released by hackers overnight was the real deal and it expected the “criminal will continue to release files on the dark web”.
In a statement, Medibank apologised to its millions of customers for the breach.
“We unreservedly apologise to our customers,’’ Medibank CEO David Koczkar said.
“This is a criminal act designed to harm our customers and cause distress.
“We take seriously our responsibility to safeguard our customers and we stand ready to support them,” he said.
After a midnight deadline expired for the nation’s largest health insurer to pay, the blackmailers started releasing hundreds of names, addresses overnight, bragging they have the screenshots to prove they are talking with the insurer.
“Hello. We received your message. We want to talk with you, but need to be sure you’re the person who says they have our data,’’ one message purportedly from Medibank states.
“Can you tell us all the addresses and phone numbers you sent messages to?”
In response, the alleged hackers said: “OK, we wait.”
Medibank then tells the hackers, “After considering all options, we have made a decision that we cannot pay your demand.
“It is also Australian government policy that ransoms should not be paid. We understand the impact this may have.”
Home Affairs Minister Clare O’Neil slammed the hackers as “disgraceful human beings” and urged others not to republish any sensitive data
“I know you will not do that because that would be enabling and supporting the scumbags who are at the heart of these crimes,” she said
In a statement. Medibank said it had become aware that the criminal has released files on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.
“This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data,’’ it said.
Medibank said the files appear to be a sample of the data that it had determined was accessed by the criminal.
“We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do,’’ the statement said.
“We expect the criminal to continue to release files on the dark web.”
In one exchange posted by the hackers, they threaten to keep leaking information until their demands are met.
“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts,’’ the message states.
“Looking back that data is stored not very understandable format we’ll take some time to sort it out,” they said.
“We’ll continue posting data partially, need some time to do it pretty.”
“P.S. I recommend to sell medibank stocks.”
Revealing for the first time new details on the scale of the cyber hack, Medibank confirmed this week the hackers accessed health claims data for around 160,000 Medibank customers and around 300,000 ahm customers.
In a statement to the ASX, Medibank chief executive David Koczkar apologised to the company’s 3.8 million members but said that there was no guarantee that paying the ransom would stop the hackers from using the stolen data and sensitive medical information.
“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Mr Koczkar said.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
“It is for these reasons we have decided we will not pay a ransom for this event,” he said.
In new information detailing the extent of the cyber attack, Medibank also revealed the hackers had:
• Accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.
• This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
• Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
• Accessed Medicare numbers (but not expiry dates) for ahm customers
• Accessed passport numbers (but not expiry dates) and visa details for international student customers
• Accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Accessed health provider details, including names, provider numbers and addresses
• Did not access health claims data for extras services (such as dental, physio, optical and psychology)
• Did not access credit card and banking details
Medibank said customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.
“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” he said.
Since the attack was first detected on October 12, Medibank said no further suspicious activity inside its systems has been detected.
In recent weeks, a ransom note emerged threatening to release or sell to third parties personal information of persons of high media interest including diagnoses of sensitive medical conditions or addictions and credit card information.
The ransom note claimed to have access to sensitive medical information about “politicians, actors, bloggers, LGBT activists, drug addicted people, etc.”
Medibank confirmed in today’s statement that the stolen data included information about where customers received certain medical services, and codes associated with diagnosis and procedures administered.