Insurance company refuses to pay ransom, so hackers start releasing medical records of up to 10 million people

So far, at least 500,000 personal health records have been stolen.

Break the whales

Hackers looted the medical records of millions of customers of Australian health insurance company Medibank, then dumped them on the dark web after Medibank refused to pay the demanded ransom.

The hack first came to light in October, when it was unclear how much the hackers were asking for ransom or how much data had been compromised. Either way, Medibank didn’t play ball and, true to their word, the hackers downloaded a bunch of data.

According to Medibank, apart from health information, the data also includes “personal data such as names, addresses, dates of birth, telephone numbers, email addresses, health insurance numbers for ahm customers ( not expiration dates), in some cases passport numbers for our international students (not expiration dates), and some data on health claims,” ​​the company said in a statement. Tweeter.

The private health care provider estimates that all of its 3.9 million customer data has been compromised. That number could rise to nearly 10 million, if former customers are included, although the full extent of the breach remains unclear.

And what’s worse is that Medibank thinks hackers will only keep releasing more stolen data.

Hidden identity

Disturbingly, hackers have released “naughty” and “nice” lists of stolen health records, Gizmodo reports. The “naughty” list is particularly invasive, as it selects people based on sensitive health histories, such as seeking treatment for substance abuse and eating disorders.

So far, the hackers have refused to identify themselves, not even adopting a collective nickname (assuming they are, in fact, more than one person). At present, the only clue to who they are is the fact that the website of the now defunct Russian REvil ransomware operation redirects to the hackers’ blog, according to BeepComputer.

“PS, I recommend selling shares of medibank,” the hackers wrote in broken English, screenshot here.

Moreover, they claim that the ransom they demanded was $10 million.

The male stops

Throughout, many have understandably expressed outrage at Medibank’s handling of the situation. At best, the health insurer’s response could be described as limp. Others would say criminal.

Inexplicably, Medibank didn’t even have cyber insurance, meaning it could have to pay up to $22 million in damages, excluding legal fees.

Medibank first assured customers that although there was a breach, no data was compromised. Company executives could not have imagined how wrong they would be.

Learn more about data breaches: Parent-teacher messaging app hacked to send creepy pictures to mom and dad