Insurance Company Refuses to Pay Ransom, So Hackers Start Releasing Health Records of Up To 10 Million People

So far, at least 500,000 personal health records have been stolen.

Breaching Whales

Hackers plundered the health records of millions of customers from Australian health insurance provider Medibank, then dumped them on the dark web after Medibank refused to pay the demanded ransom.

The hack first came to light in October, when it was unclear how much the hackers demanded in ransom money or how much data had been compromised. Regardless, Medibank didn't play ball, and true to their word, the hackers uploaded a batch of data.

According to Medibank, outside of health information the data also includes "personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data," the company stated in a tweet.

The private healthcare provider believes that all the data of its 3.9 million customers has been compromised. That number could be as high as nearly 10 million, if former customers are included, though the total extent of the breach remains unclear.

And what's worse is that Medibank believes that the hackers will only continue to post more stolen data.

Hidden Identity

Disturbingly, the hackers have posted "naughty" and "nice" lists of the stolen health records, Gizmodo reports. The "naughty" list is especially invasive, since it picks people based on sensitive health histories like seeking treatment for addiction and eating disorders.

So far, the hackers have refused to identify themselves, not even adopting a collective moniker (assuming they are, in fact, more than one person). As of now, the only clue as to who they are is the fact that the website of the now-defunct Russian ransomware operation REvil, redirects to the hackers' blog, according to BleepingComputer.

"P.S. I recommend to sell medibank stocks," the hackers wrote in broken English, screenshotted here.

In addition, they claim the ransom they demanded was $10 million.

The Buck Stops

All the while, many have understandably expressed outrage at Medibank's handling of the situation. At best, the health insurer's response could be described as sluggish. Others would argue criminal.

Inexplicably, Medibank didn't even have cyberinsurance, meaning it might have to shell out up to $22 million in damages, excluding legal fees.

Medibank initially assured customers that, while there had been a breach, no data was compromised. The company's leaders couldn't have imagined how wrong they'd turn out to be.

More on data breaches: Parent-Teacher Messaging App Hacked to Send Mom and Dad Horrifying Images