Major Australia health data hack exposes abortion patients

Comment

Details identifying abortion patients in Australia, stolen as part of a major data breach at a private health insurer, were posted Thursday on a dark web forum that appears to be linked to Russian hackers.

Insurer Medibank said in a statement that the data included names, addresses, dates of birth, phone numbers and email addresses. Chief Executive David Koczkar said the release of the information, after a demand for ransom money was rejected, was “an attack on the most vulnerable members of our community.”

“Weaponizing people’s private information in an effort to extort payment is malicious,” he said.

Medibank acknowledged on October 13 that it had been hacked. It later said that the personal information of 9.7 million customers and 480,000 health claims were accessed.

The insurer announced on Monday that it would not pay a ransom to keep the data private. On Wednesday, identifying information was released on clients who had accessed medical care, including for addiction recovery and mental health care. That was followed on Thursday by information about patients who had sought and had abortions.

Details of medical procedures involving some 500 people were part of the two online file crashes, according to the conversationa non-profit news site.

Josh Roose, a political sociologist at Deakin University, said healthcare organizations are common targets of ransomware attacks. But they usually find their IT systems locked down, with a ransom demanded in exchange for regained access.

On occasion, cybercriminals have accessed personal health information, including a security violation this summer involving more than 235,000 Keystone Health patients in Pennsylvania. Rarely do cases escalate to public disclosure of sensitive health information, Roose said.

“It’s obviously a pretty disgusting line of attack,” he added. “And we know there are hackers deliberately targeting health services for precisely that reason. It tells you a little bit about how bad things are getting and how, indeed, tough this particular group is.”

According to Roose, the Medibank ransomware attack appeared to be related to a Russian hacking group. The data was published on a dark web forum linked to the REvil collective, The Guardian. reportedadding that the pirates posted a $10 million lawsuit in rescue

Daile Kelleher, executive director of the reproductive rights organization Children by Choice, said there are many reasons, beyond the mere violation of privacy, why patients would not want others to know that they had terminated a pregnancy.

While abortion is legal in Australia, it remains “a fairly stigmatized form of health care,” and the data release could put some women at risk, Kelleher said. “Our biggest concern was the impact this could have on people who have reproductive coercion and abuse, or domestic and family violence, in their lives.”

The Medibank hack was the second high-profile such an attack in the country in recent months. The telecommunications company Optus was the victim of an attack in September, with the data of 10 million illegally accessed clients. Some of that included driver’s licenses and passport numbers.

The Australian Federal Police is working with the FBI and other foreign intelligence partners to investigate the disclosure of “very personal and distressing information,” the agency said in a statement Wednesday.

A few hours later, Prime Minister Anthony Albanese said he was a client of Medibank but was not affected by the attack. Cyber ​​Security Minister Clare O’Neil called the hack “morally reprehensible” and labeled those responsible “rubbish” when she addressed Parliament on Thursday.

Leave a Comment