The Medibank hackers posted a message on the dark web overnight, demanding a $US9.7 million ransom not to release customer data.
In a second data leak, the hackers said they have also released sensitive details of customers’ medical procedures, specifically a file labelled “abortions”.
“Added one more file abortions.csv…,” the hackers posted.
The hackers initially sought a US$10 million ransom from the health insurer, but then reduced the price, writing: “We can make discount 9.7m 1$=1 customer”.
At least 9.7 million Australians, current and former customers, have been affected by the Medibank data breach.
The hackers had previously released data on Wednesday morning under a “naughty” and “nice” list. The “naughty” list is reported to include claims related to drug and mental health issues. The “nice” list is reported to be elderly patients whose medical records showed surgeries undertaken.
On its website, Medibank said the data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data.
Medibank chief executive David Koczkar said the release of this stolen data on the dark web is “disgraceful”.
“We take the responsibility to secure our customer data seriously and we again unreservedly apologise to our customers.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.
“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”
Earlier in the week, Medibank revealed it had rejected the hacker’s demands to pay ransom in return for the data.
“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act,” Cyber Security Minister Clare O’Neil said.
“People are entitled to keep their health information private, even among ransomware attackers. The idea of release personal medical information of other people is considered beyond the pale.”