Medibank Refuses to Pay Ransom After 9.7 Million Customers Exposed in Ransomware Hack
Australian health insurer Medibank today confirmed that personal data belonging to around 9.7 million of its current and former customers were accessed following a ransomware incident.
The attack, according to the company, was detected in its IT network on October 12 in a manner that it said was "consistent with the precursors to a ransomware event," prompting it to isolate its systems, but not before the attackers exfiltrated the data.
"This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers, and around 1.8 million international customers," the Melbourne-based firm noted.
Compromised details include names, dates of birth, addresses, phone numbers, and email addresses, as well as Medicare numbers (but not expiry dates) for ahm customers, and passport numbers (but not expiry dates) and visa details for international student customers.
It further said the incident resulted in the theft of health claims data for about 160,000 Medibank customers, around 300,000 ahm customers, and around 20,000 international customers.
This category comprises service provider name, the locations where customers received certain medical services, and codes associated with diagnosis and procedures that were administered.
Medibank, however, said financial information and identity documents like drivers licenses have not been siphoned as part of the security breach and that no unusual activity was observed since October 12, 2022.
"Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal," the company said, urging customers to be on the alert for any potential leaks.
In a standalone investor statement, the company also said it will not make any ransom payment to the threat actor, stating doing so will only encourage the attacker to extort its customers and make Australia a bigger target.
Update: Medibank, in an update posted today, said that the threat actor behind the security incident has released files on the dark web containing customer data stolen from its systems last month after its refusal to pay a ransom.
"This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data," it stated.
While the Australian company hasn't yet attributed the hack to a specific ransomware group, the data was posted on a dark web portal linked to REvil, which relaunched its operations earlier this May.