CANBERRA, Australia (HPD) — A cybercriminal had an Australian health insurer’s customer data, including diagnosis and treatment information, withheld in the country’s second major privacy breach in a month, authorities announced Thursday.
Medibank’s listing has been suspended on the Australian market since Wednesday, when police warned that the company had been contacted by a “criminal” who wanted to negotiate a ransom for stolen customer data.
Medibank, which has 3.7 million customers, said Thursday that the criminal had provided a sample of 100 customer policies from an alleged 200-gigabyte loot of stolen data.
The data included names, addresses, dates of birth, national health service identification numbers and phone numbers.
Of greater concern were the records of medical diagnoses and procedures, said cybersecurity minister Clare O’Neil.
“Financial crime is a terrible thing. But ultimately, a credit card can be substituted,” O’Neil told reporters. “The threat being made here to publish personal health information of Australians is a sneaky act,” he added.
The thief had threatened to sell Medibank data to third parties and identified the records of 1,000 politicians, media workers, actors, LGBTQ activists and drug addicts, according to Nine Network News.
“We found people with very interesting diagnoses,” the thief told Medibank, according to reports.
The company declined to comment on the alleged threats. In a statement, the company’s CEO, David Koczkar, said his company was working with specialist cybersecurity companies as well as police and government experts to manage the leak.
The attack came a month after another cyberattack stole the personal data of 9.8 million customers from telecoms firm Optus.
The Optus breach, which left the personal information of more than a third of Australia’s population compromised, prompted the government to propose urgent reforms to privacy laws that would increase penalties for companies that fail to protect customer data and limit the amount of data that can be saved.