Anatomy of a Breach

Anatomy of a Breach: Medibank — 9.7 Million Australians' Health Data Published After Ransom Refused

> series: anatomy_of_a_breach —— part: 166 —— target: medibank —— customers: 9,700,000 —— published: mental_health_hiv_pregnancy_data<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2022 14 min read
data-breach medibank australia health-data ransomware double-extortion revil series
Breach #166

9.7 million Australians. Mental health records. HIV status. Published as punishment for not paying.

In October 2022, Medibank — one of Australia's largest private health insurers — disclosed that attackers had stolen the personal data of approximately 9.7 million current and former customers, including names, dates of birth, Medicare numbers, and — for a subset of customers — detailed health claims data including diagnosis codes, procedure codes, and provider details. The breach represented approximately 40% of Australia's population.

Medibank refused to pay the ransom, following Australian government guidance. The attackers — linked to Russia's REvil ransomware operation — responded by publishing stolen data on the dark web in categorised tranches, including files labelled 'abortions', 'boozy' (alcohol-related claims), and 'psychos' (mental health claims). The deliberate categorisation and publication of the most sensitive health data — mental health treatment, substance abuse rehabilitation, pregnancy terminations, and HIV status — was designed to cause maximum personal harm as retaliation for non-payment. The Australian government sanctioned the Russian individual identified as responsible.

The Cruelty of Double Extortion
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When the most intimate data is weaponised as punishment.

The Medibank breach represented the darkest evolution of double-extortion ransomware: stealing data, demanding payment, and — when refused — deliberately publishing the most sensitive, stigmatised, and personally damaging health information to punish the victim organisation and harm its customers. The Ashley Madison breach (2015) had shown that personal data can destroy lives; Medibank showed that health data can be weaponised with surgical cruelty.

Health Data as a Weapon
Mental health records, addiction treatment, pregnancy terminations, HIV status — the attackers specifically targeted and categorised the most stigmatised health conditions for publication. For UK <a href="/blog/sector-under-the-microscope-healthcare">healthcare organisations</a>, the Medibank case demonstrates that health data theft now carries the risk of deliberate, targeted publication of patients' most sensitive conditions. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> detects data exfiltration before it reaches attackers.
Punishment for Non-Payment
The staged publication of categorised data was explicitly retaliatory — designed to pressure future victims into paying. Medibank's refusal to pay was principled but came with devastating consequences for affected patients. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides guidance on ransom decisions including the human impact of non-payment.
Stolen Credentials as Entry
The initial access was through compromised credentials belonging to a third-party contractor — the same pattern documented across this series from <a href="/blog/anatomy-of-a-breach-target">Target</a> (2013) to <a href="/blog/anatomy-of-a-breach-uber-2022">Uber</a> (2022). <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA for all access, including contractor accounts.
International Sanctions
The Australian government imposed sanctions on the identified Russian attacker — using international sanctions as a tool against ransomware operators. This reflected the escalating government response to ransomware that began with the <a href="/blog/anatomy-of-a-breach-colonial-pipeline">Colonial Pipeline Executive Order</a> (2021).
Lessons

Health data is the most dangerous data to lose. Protect it accordingly.

Medibank proved that health data breaches carry consequences beyond financial loss — they can cause lasting personal harm through the deliberate publication of stigmatised conditions. For UK healthcare organisations, the Medibank case means that data exfiltration prevention — stopping data from leaving the network — is as important as preventing initial access. Data loss prevention through SOC in a Box for Healthcare detects bulk data exfiltration. Infrastructure testing validates network segmentation and data access controls. Cyber Essentials mandates MFA including for contractors. And UK Cyber Defence provides the incident response and crisis management capability for health data breaches.

Health Data Protection

Medibank: 9.7M patients' health data published as punishment. Could your patients' records be next?

<a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> detects data exfiltration. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates data access controls. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA.

Commission a Healthcare Assessment Next: Dropbox Source Code
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2021

Anatomy of a Breach: 2021 Year in Review — Log4Shell, Colonial Pipeline, and the Year Ransomware Became a National Security Crisis

Breach #156 and the 2021 finale. The year Colonial Pipeline shut down America's fuel supply through a single compromised VPN password, the Irish HSE was devastated by Conti ransomware, JBS paid $11 million to REvil, Kaseya's supply chain attack hit 1,500 businesses, Hafnium compromised 250,000 Exchange servers, someone tried to poison Florida's water through TeamViewer, T-Mobile was breached for the fifth time, and — on 9 December — Log4Shell (CVE-2021-44228) was disclosed: a critical remote code execution vulnerability in Apache Log4j, a logging library embedded in hundreds of millions of systems worldwide. The vulnerability in everything.

data-breach year-in-review
16 min read
Anatomy of a Breach 31 July 2021

Anatomy of a Breach: Kaseya VSA — REvil's Supply Chain Ransomware Attack on 1,500 Businesses

Breach #151. On 2 July 2021, REvil ransomware exploited zero-day vulnerabilities in Kaseya VSA — a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to manage their clients' IT systems. By compromising Kaseya, the attackers gained access to the MSPs' client networks, deploying ransomware to approximately 1,500 businesses worldwide — including the Swedish supermarket chain Coop, which was forced to close 800 stores. REvil demanded $70 million for a universal decryptor. The attack combined supply chain compromise with ransomware at a scale never previously achieved.

ransomware kaseya
14 min read
Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
All Posts Get in Touch