Medibank has urged its customers to be on high alert after cybercriminals began leaking sensitive medical records stolen from the Australian health insurance giant.
A ransomware group with ties to the notorious Russian-speaking REvil gang began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers and information on medical claims. This comes after Medibank said it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse and HIV, according to Agence France-Presse. For example, one record carries an entry that reads "F122," which corresponds with "cannabis dependence" under the International Classification of Diseases published by the World Health Organization.
It’s also believed the leaked data includes the names of high-profile Medibank customers, which likely includes senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil.
The portion of data leaked so far, seen by TechCrunch, also appears to include correspondence of negotiations between the cybercriminals and Medibank CEO David Koczkar. Screenshots of WhatsApp messages suggest that the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed.
“Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told TechCrunch in an emailed statement on Wednesday, who deferred to its blog post.
The cybercriminal gang behind the Medicare ransomware attack, whose identities are not known but has relied on a variant of REvil's file-encrypting malware, has so far leaked the personal details of around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Medibank confirmed on Tuesday that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers.
What should victims do?
In light of the data leak, which exposed highly confidential information that could be abused for financial fraud, Medibank and the Australian Federal Police are urging customers to be on high alert for phishing scams and unexpected activity across online accounts. Medibank is also advising users to ensure they are not re-using passwords and have multi-factor authentication enabled on any online accounts where the option is available.
Medibank also launched a "cyber response support package" for affected customers, Medibank's Green told TechCrunch. This includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a well-being line, a mental health outreach service and personal duress alarms.
Australia's federal police are investigating the breach in collaboration with agencies from around the Commonwealth, as well as from the other members of the "Five Eyes" group of intelligence-sharing governments, including the U.K., U.S., Canada and New Zealand. Operation Guardian, the Australian government's response to the recent wave of cyberattacks that began with the data breach at telco giant Optus, will be extended to Medibank to protect its customers from “financial fraud and identity theft.”
“Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said AFP Assistant Commissioner Cyber Command Justine Gough. “Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank Private data.”
In its latest update, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” On its dark web leak site, the cybercriminals said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.”
Medibank says it will continue to contact all affected customers with specific advice and details of what data the attackers have accessed. However, customers at a heightened risk of being targeted by fraudulent emails should ensure that emails are coming from Medibank. Medibank said it would not ask for personal details over email. If in doubt, don’t click any links.
It's not yet known whether Medibank customers will receive compensation following the breach or whether Medibank will face action for failing to protect users’ confidential medical data. The breach comes just weeks after Australia confirmed an incoming legislative change to the country’s privacy laws, following a long process of consultation on reforms. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches and greater powers for the Australian information commissioner.