Major Australian health data hack exposes abortion patients

Leave a comment

Details identifying abortion patients in Australia stolen as part of a private health insurer’s major data breach were released Thursday on a dark web forum that appears to be linked to Russian hackers.

The insurer, Medibank, said in a statement that the data included names, addresses, dates of birth, telephone numbers and email addresses. Chief executive David Koczkar said the release of the information – after a ransom demand was rejected – was “an attack on the most vulnerable members of our community.”

“Weaponizing people’s private information in an attempt to force payment is malicious,” he said.

Medibank admitted on October 13 that it had been hacked. It later said the personal information of 9.7 million customers and 480,000 health claims had been obtained.

The insurer announced on Monday that it would not pay a ransom to keep the data private. On Wednesday, identifying information from clients who accessed medical care, including for addiction recovery and mental health care, was released. This was followed on Thursday by information about patients who sought and underwent abortions.

Details of medical procedures involving about 500 people were part of the two online files, according to the Conversation, a nonprofit news website.

Josh Roose, a political sociologist at Deakin University, said healthcare organizations are common targets of ransomware attacks. But they usually find their IT systems locked down, with a ransom demand in exchange for regaining access.

On occasion, cybercriminals have gained access to personal health information — including a security breach this summer involving more than 235,000 patients from Keystone Health in Pennsylvania. Rarely do the cases escalate to the public release of sensitive health information, Roose said.

“It’s obviously a pretty disgusting line of attack to take,” he added. “And we know that there are hackers who deliberately target health services for exactly that reason. It tells you a little bit about how bad things get, and how, effectively, hardcore, this particular group is.”

According to Roose, the Medibank ransom attack appeared to be linked to a Russian hacking group. The data was posted on a dark web forum linked to the collective REvil, the Guardian reported, adding that the hackers had posted a demand for a $10 million ransom.

Daile Kelleher, chief executive of the reproductive rights organization Children by Choice, said there are many reasons — beyond the sheer invasion of privacy — that patients don’t want others to know they’ve terminated a pregnancy.

Although abortion is legal in Australia, it remains “quite a stigmatized form of health care”, and the release of data could put some women at risk, Kelleher said. “Our biggest concern was the impact this could have on people who have reproductive coercion and abuse, or family and domestic violence, in their lives.”

The Medibank cap was the second high profile attack of its kind in the country in recent months. Telecommunications company Optus was the victim of an attack in September, with the data of 10 million customers illegally accessed. Some of them included driver’s license and passport numbers.

The Australian Federal Police is working with the FBI and other foreign intelligence partners to investigate the release of the “disturbing and highly personal information”, the agency said in a statement on Wednesday.

A few hours later, Prime Minister Anthony Albanese said he was a Medibank customer but had not been affected by the hack. Cybersecurity Minister Clare O’Neil called the hacking “morally reprehensible” and branded those responsible “scumbags” when he addressed parliament on Thursday.

Related Posts