Medibank has warned more customer data stolen by hackers, including passport numbers, will be uploaded to the dark web after the first files were dropped overnight.
The data trickle includes names, birthdates, addresses, email addresses, phone numbers, health claims information, Medicare numbers for Medibank’s ahm customers and passport numbers for international student clients.
The leak comes after Medibank clients spoke out about their concerns over the sensitivity of the data that could be released, particularly regarding children, people living with sexually transmitted diseases, and drug addicts.
Adult Medibank customers are now at risk scams or social stigma if their health records become public.
Children (who don’t get to share input on what plans their parents sign them up for or what health issues are disclosed) are also put at extra risk if they are in a family violence situation if their home address or healthcare service location has been publicly exposed.
Medibank previously confirmed to the ABC that some of the sample stolen data already shared with the company by the hacker included customers under the age of 18.
There are grave concerns digital criminals will exploit the data, which began appearing on a ransomware group’s blog in the early hours of Wednesday under “good-list” and “naughty-list”.
The naughty-list included the details of treatment for issues like alcohol abuse, drug use and anxiety, among others, for 100 Medibank clients.
The good-list reveals private details of clients being treated, including treatments for prostatitis, gastric band removal, cataracts and colitis.
Albanese backs up Medibank
Medibank has promised to tell customers what data it believes has been stolen, if any of their data is included in the files on the dark web and give advice on what to do.
Cyber Security Minister Clare O’Neil labelled the hacking the “lowest of lows”, noting that while only a small number of people’s personal health information had been shared so far, that was likely to change.
“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act,” she told parliament.
“People are entitled to keep their health information private, even amongst ransomware attackers, the idea of releasing personal medical information of other people is considered beyond the pale.”
Ms O’Neil said Australia’s cyber security was five years behind where it needed to be and the government was working hard to rectify that.
The Australian Federal Police have expanded their joint initiative with state and territory police set up to investigate September’s Optus data breach to also target the Medibank hack.
“Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” AFP Assistant Commissioner Cyber Command Justine Gough said.
“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.”
Medibank had rejected hacker demands it pay a ransom in return for the data not being released.
Prime Minister Anthony Albanese said he agreed with Medibank’s decision, even though he was among the millions of Australians who were clients.
His private details have not yet been leaked.
“This is really tough for people,” he said.
“I am a Medibank Private customer as well, and it will be of concern that some of this information has been put out there.”
More leaks to come
The ransomware group indicated in a post seen by AAP, it was releasing data bit by bit because of its complexity.
“Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,” the post accompanying the lists said.
“We’ll continue posting data partially, need some time to do it pretty.”
The hackers also appeared to have released screenshots of private messages recently exchanged with Medibank representatives.
Medibank has previously confirmed that details of almost 500,000 health claims have been stolen along with personal information, after the unnamed group hacked into its system weeks ago.
Some 9.7 million current and former customers have been affected.
No credit card or banking details were accessed.
Deputy Liberal leader Sussan Ley called on the government to release money put aside by the former coalition to bolster business defence against hackers.
“Release the $60 million of funding we had put aside in grants that would go towards organisations to make them more resilient in the face of cyber attacks,” she told reporters.
“We need a plan to address the concerns of everyday Australians, particularly when their sensitive health information has been leaked.”