Medibank: Data stolen from Australia health insurance available online


Personal data of hundreds of Australians has been posted online after it was stolen from the country’s largest health insurer, Medibank.

Some health claims data – including medical procedure history – was released, along with names, addresses, birthdates and government ID numbers.

PM Anthony Albanese said that as a Medibank customer he was among those concerned their data may become public.

“This is really tough for people,” he said on Wednesday.

The data of 9.7 million Medibank customers was stolen last month. A sample was released on Wednesday after the insurer refused to pay a ransom.

It comes amid a string of high-profile data breaches in Australia.

  • How a massive data breach has exposed Australia

The release of private health information can be “distressing and embarrassing”, Australian Federal Police said, warning those whose data is yet to be released are at risk of blackmail.

“Please do not be embarrassed to contact police… if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” Assistant Commissioner Justine Gough said.

All customers affected – whether their information has been publicly released or not – are also at risk of phishing scams, she said.

Medibank has apologised for what it has called the “malicious weaponisation” of private information, and promised to work “around the clock” to inform customers whose information has been published.

But Home Affairs Minister Clare O’Neil – who has previously said Australia is “a decade behind” in cybersecurity – has defended Medibank, saying the company followed government advice in not paying the ransom.

The group responsible are “scumbags” and “disgraceful human beings”, she said.

The stolen Medibank data was posted on a blog linked to Russian ransomware group REvil, local media report. More data will be posted soon, the blogpost says.

Medibank says the information was obtained after login details allowing access to all its customer data was stolen.

The “criminal” also obtained access to data from its subsidiaries, including ahm insurance. Ahm is a smaller health insurance brand owned by Medibank.

While millions have been affected, the most serious breach was for around 500,000 customers who have had private health information stolen, Medibank said.

But the company has stressed that no credit card or banking details were accessed.

In September Australian telecommunications giant Optus was also targeted for extortion, after the personal data of about 10 million customers was stolen in what the company called a cyber-attack.