Nearly 10 million Australians have had their private health data hacked – with sensitive medical records detailing treatments for alcoholism, drug addictions, and pregnancy terminations already posted online – in a cyber-attack believed to have been coordinated from Russia.
The Australian Federal Police have said they know the identity of the Russian ransomware criminal organisation that hacked into the databases of Medibank, Australia’s largest private health insurer, stealing customer data over weeks inside the company’s computer systems.
After Medibank refused to pay a demanded ransom of US$9.7m – US$1 for every one of the 9.7 million people whose information has been compromised – the hackers have begun releasing sensitive data on the dark web.
Two initial tranches were posted on Wednesday to a dark web blog linked to the REvil Russian ransomware group: a so-called “naughty list” that detailed people’s treatment for drug addictions or mental health issues, and a “good list” that contained more generic hospital procedure claims. Each list contained data from about 100 Medibank customers.
On Thursday, the hackers posted another file labelled “abortions.csv” containing more than 300 claims made by policyholders in relation to the termination of pregnancies, including non-viable pregnancy, ectopic pregnancy and miscarriages.
On Friday, a further list was posted on the dark web – “boozy.csv” – containing files associated with 240 customers related to alcoholism-related treatment.
Medibank has said the data of 9.7 million current and former customers has been hacked: they have had their names, dates of birth, phone numbers, email addresses and addresses stolen. Some customers’ unique numbers for Medicare – Australia’s universal public healthcare scheme – have also been stolen, along with the passport information of international customers.
The hackers have also accessed the health claims of about 160,000 Medibank customers, about 300,000 customers of its subsidiary company, ahm, and data from 20,000 international customers.
The Australian prime minister, Anthony Albanese, himself a Medibank customer, said he was “disgusted by the perpetrators of this criminal act”.
“We know where they’re coming from, we know who is responsible and we say that they should be held to account.”
The Australian Federal Police (AFP) commissioner, Reece Kershaw, said on Friday to the hackers: “We know who you are.”
“We believe those responsible for the breach are in Russia,” he told reporters in Canberra, but declined to name the alleged perpetrators saying it would jeopardise an ongoing investigation.
“We believe we know which individuals are responsible … our intelligence points to a group of loosely affiliated cybercriminals who are likely responsible for past significant breaches in countries across the world.”
Kershaw said the attack was likely not limited to Russian soil, and that some affiliates of the organisation may be operating in other countries. He said the AFP was working in cooperation with the national central bureau of Interpol in Moscow.
Kershaw said the AFP had “runs on the scoreboard” in extraterritorial investigations. The AFP has successfully extradited people from Poland, Serbia, and the UAE in recent years to face criminal – mainly drug-related – charges in Australia.
But the chances of extraditing Russian hackers appear remote. In 2018, the Russian president, Vladimir Putin, said “Russia does not extradite its citizens to anyone.”
Kershaw said Australian government policy did not condone paying ransoms to cybercriminals.
“Any ransom payment, small or large, fuels a cybercrime business model, putting other Australians at risk.”
The AFP has expanded Operation Guardian – set up in September to protect 10,000 customers of telecommunications company Optus who had their personal information posted online earlier this year – to assist Medibank customers.
Australia’s cybersecurity minister, Clare O’Neil, vowed those behind the “morally reprehensible” cyber hack would be caught.
“I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming after you,” she said.
“I want to say, particularly to the women whose private health information has been compromised … as the minister for cybersecurity but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”