Information from the high-profile Medibank data breach has begun to leak to the dark web as the company has publicly committed to not making ransom payments, and the incident appears to have the Australian government considering a change of policy. The criminals made off with over nine million records of health data in the breach, but thus far have leaked only several hundred in an apparent bid to get Medibank to reverse its decision.
Health data theft comes at inopportune time for Medibank
The massive theft of health data comes during a transitional period in Australia’s national privacy law, and one that is partially fueled by a string of similar attacks. Had this happened to Medibank just a little earlier, it would have been safely ensconced in the terms of the outdated Privacy Act 1988. But recent updates may put the company on the hook for big fines, even as some in the government praise it for refusing ransom payments.
Home Affairs Minister Clare O’Neil referred to Medibank in saying that the department is now taking a look at banning ransom payments in the “long term,” a controversial idea that most nations have decided against at this point. Some feel it is the only means by which to get the ransomware fire under control, but it could also potentially take away the only chance of averting a complete financial disaster (particularly for smaller businesses).
In the meantime, it appears the government will be having a look at Medibank’s security and data handling practices and how all of that contributed to the massive loss of health data. New terms that were recently adopted mean that the company could be on the hook for fines that can range up to the tens of millions of dollars. Medibank also faces the possibility of class action lawsuits, something that law firms are reportedly already drafting up.
Could ransom payments be banned in Australia?
The decision against the ransom payments may have had something to do with the contents of the stolen records, as it is possible that the majority of the 9.7 million that were stolen contained only contact information. Medibank has not broken down in detail what health data was stolen, only saying that about 500,000 health claims were among the records and that some contained visa, passport and Medicare numbers.
Medibank has warned customers that their health data may be compromised and publicly posted, and that they may be targeted by criminals due to the data breach. But the company takes the position that ransom payments would only encourage the criminals and would be unlikely to keep the data off the dark web in the long run.
There is some evidence that the attackers that hit Medibank are either former members of or former affiliates with the notorious REvil ransomware gang. The attackers are leaking very sensitive records first, selecting public figures and politicians as well as people who may have had compromising conditions or treatments. The hackers also claim to have taken encrypted credit card numbers and have threatened to leak those as well, but Medibank says that it sees no evidence that any payment information was stolen.