Medibank won’t pay the ransom for data stolen in breach

Australian health insurance provider Medibank has announced it won’t be paying the ransom to the criminal(s) who stole data of 9.7 million of its current and former customers.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the company said.

The fact that the criminal didn’t succeed in deploying ransomware on the company’s IT systems and encrypting the data after stealing it was surely a factor in Medibank’s decision to withold the ransom.

The curent tally of potentially compromised data

The attacker was able to access data of current and former Medibank, ahm, and international customers. More specifically:

• Name, date of birth, address, phone number and email address for around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
• Medicare numbers (but not expiry dates) for ahm customers
• Passport numbers (but not expiry dates) and visa details for international student customers
• Health claims data – service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered – for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers
• Personal and health claims data of around 5,200 My Home Hospital (MHH) patients, and some contact details of around 2,900 next of kin of these patients
• Health provider details, including names, provider numbers and addresses

The attacker did not compromise credit card and banking details, identity documents of Medibank and ahm resident customers, and health claims data for extras services.

Protecting customers

While there is no guarantee that direct customer extortion or an online data leak won’t happen, a few days after the initial revelation of the breach Medibank started setting up support services for affected customers, and announced they will be offering financial, mental health, identity protection and monitoring help, and reimbursement of fees for re-issue of identity documents that have been fully compromised.

They’ve added to that a cybercrime health & wellbeing line, a mental health outreach service, a mental health advice app, and even personal duress alarms for customers that are particularly vulnerable and/or with safety risks.

“Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly,” the company said, and advised them to be wary of phishing and scam attempts exploiting the situation.