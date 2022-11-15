SYDNEY – When the Australian health insurer Medibank Private Ltd. was hit with a ransomware attack last month, it provided regular updates to its customers, including the revelation that personal information from nearly 10 million of them was exposed. It also followed the government’s guidance on how to respond to the extortion demand.

Medibank didn’t pay the ransom. But that plan hasn’t worked out so well.

Following through on a threat, the hackers began publishing the most private medical details of some of Medibank’s customers, including terminated pregnancies, treatment for drug and alcohol addiction and heart attacks, according to a cybersecurity analyst, victims who have spoken publicly about the incident and local media reports.

About 1,000 patients have already had deeply personal data revealed on dark web forums, according to Medibank, and the hackers, who Australian authorities believe are Russian, have warned that more is coming.

“Unfortunately we expect the criminal to continue to release stolen customer data each day,” said Mr David Koczkar, Medibank’s chief executive officer.

Medibank’s experience represents a nightmare scenario for companies and organisations attacked by ransomware, a type of cyberattack in which a victim’s data is encrypted until a payment is made to unlock it.

Many ransomware gangs now steal data too and threaten to release the information unless payment is made. Despite guidance from government agencies, including the FBI, not to pay ransom demands, many victims end up doing so, including Colonial Pipeline Co., after a ransomware attack last year forced it to shut down a pipeline that provides fuel to the US East Coast.

Mr Koczkar said in a statement that the company had been warned there was only a limited chance the data would be returned and not published even if they paid. The hackers sought US$1 for every patient, or about US$10 million (S$9.2 million) according to the Sydney Morning Herald.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Mr Koczkar said.

Ms Emily Ritchie, a Medibank spokesman, said the company wasn’t doing interviews “because the criminal is watching our every move, and we are trying to be really careful to not fuel the criminal”.

There have been other instances where hackers have released personal data, though it is unusual for such personal medical information to be exposed.

In one episode disclosed in 2020, hackers breached a privately run psychotherapy centre in Finland called Psykoterapiakeskus Vastaamo Oy and stole patient information, including session notes. The hackers extorted the centre and individual patients for money, and distributed some data online.

The online leaks from the Medibank hack have so far revealed scores of phone numbers, addresses, dates of birth, billing codes, ID numbers and full names of the people who’d been impacted, according to some documentation viewed by Bloomberg News and reported in Australian media.