Hackers Leak Stolen Patient Data After Ransomware Attack on Medibank

Medibank has warned its customers to be extra cautious after hackers started disclosing private medical data including names and dates of birth stolen from the Australian health insurance firm.

The stolen data, which included the customer’s names, Dates of Birth (DOB), passport numbers, and details of health claims were published by a ransomware group having connections with the notorious Russian-speaking REvil gang. This comes following Medibank’s statement that “we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”

As per Agence France-Presse, the hackers categorized the initial sample of Australian attack victims into “naughty” and “good” groups, with the former comprising numerical diagnosis codes that seemed to link sufferers to alcohol abuse, HIV, and drug addiction.

Additionally, it’s thought that the leaked information contains the identities of prominent Medibank clients, possibly including key Australian government lawmakers like PM Anthony Albanese and Cybersecurity Minister Clare O’Neil.

According to the information leaked till now, there was the correspondence of negotiations between the hackers and Medibank Chief Executive Officer David Koczkar. Despite Medibank’s assertion that no banking information was accessed, snapshots of WhatsApp discussions indicate that the ransomware group intends to leak “keys for decrypting credit cards” as well.

“Based on our investigation to date into this cybercrime we currently believe the criminal did not access the credit card and banking details,” Medibank Spokesperson Liz Green said.

A total of 200 Medibank clients’ personal information have so far been leaked by the cybercriminal gang behind the attack. According to Medibank, around 9.7 million clients’ personal information as well as nearly 500,000 customers’ medical claims data were accessed by hackers.

Medibank is expecting the situation to get worse, stating that it “expects the criminal to continue to release files on the dark web.” The hackers said they intended to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from media file system from different hosts.”

Medibank says that it would keep in touch with all concerned customers and provide them with detailed advice and information on what details the hackers have accessed. Clients who are more likely to receive scam emails should be sure they are indeed coming from Medibank. Explaining further, Medibank stated that it wouldn’t ask for personal information via email. Avoid clicking any links if in doubt.

Suggested Read: Australian Defence Department Hit by Ransomware Attack