Australia has been experiencing a string of high-profile data breaches since late September, and the latest incident in the trend is the theft of 200 GB of health insurance information from Medibank. Worryingly, this data includes not just policy information but also medical records in some cases. The hacker was quick to gloat about this fact as part of a shakedown attempt, threatening to release information about celebrities and people in addiction treatment unless paid out by the company.
Medibank has not commented on the amount of ransom being demanded or if the company has made any payment, but says that the hacker has furnished it with about 100 health insurance records to confirm that the breach is legitimate.
Medibank is Australia’s largest health insurance provider with some 3.7 million customers and a market share of about 27%.
Medical records next in line for exposure as Australians grapple with ongoing identity theft concerns
The Medibank breach appears to have originated with a subsidiary company called AHM that serves as a budget health insurance provider, with a specialty in providing policies that are required by law for international students coming to Australia to study. AHM appears to have about one million health insurance customers, and some customer files do include personal medical records. Medibank has responded to the breach with a statement of apology and a promise to add more customer service agents to take calls from concerned policyholders.
The health insurance breach continues a chain of cybersecurity incidents that has involved a variety of personal records and impacted millions of Australians in a very short amount of time. The country’s two largest telephone service providers, Optus and Telstra, have suffered breaches that involved both customer and employee personal information. Several other recognizable companies have suffered breaches involving hundreds of thousands to millions of customer records in October, including Woolworths and Vinomofo.
Medical records are perhaps the most concerning form of data that has been leaked thus far, however. These are highly prized by hackers due to the variety of potentially actionable information they contain. They not only provide many of the tools needed for identity theft, but also open up the possibility of blackmail and health insurance fraud.
Health insurance records contain personal information, medical details
As with a number of the other companies that have recently been breached, Medibank is a market leader in Australia and has about 3.7 million total health insurance customers. The company saw trading halted by the Australian Securities Exchange temporarily last week as the story broke.
Medical records are the most concerning item that has been lost, but there is a lot to worry about in even the most vanilla health insurance policy as well: full names, home addresses, contact information (such as phone numbers), birth dates, and national identification numbers.
The hacker claimed that, if not paid their ransom, their next move would be to leak the information of some 1,000 high-profile or uniquely vulnerable people to the public. They claimed that this included famous figures, LGBTQ activists and people undergoing drug and alcohol addiction treatment. Ransomware does not appear to have been involved in the attack, despite some initial claims to the contrary.