Ransomware

Medibank Data Breach 2022

8 minute read
2022-10-01T00:00:00.000Z
Share Article
LinkedIn
X (Twitter)
Facebook
BREACH INTELLIGENCE
breach date

2022-10-01T00:00:00.000Z

Industry

Healthcare

Severity

Critical

Records Exposed

9.7M customers

Financial Impact

AUD $500M+ costs

Breach Summary

The Medibank breach of 2022 affected all 9.7 million current and former Medibank customers in Australia — the country's largest health insurer — exposing health claims data, diagnoses, and treatment information for the entire customer base. The attackers threatened to publish particularly sensitive health data about individual policyholders including claims related to substance abuse treatment, HIV status, and pregnancy terminations as extortion leverage.

What Happened

Medibank detected the breach in October 2022. The attacker contacted Medibank demanding $10 million AUD ransom, threatening to publish customer health data. Medibank refused to pay. The attackers published multiple tranches of customer data on a dark web blog, including data on customers with sensitive health conditions, over the following weeks. The Australian government subsequently proposed a AUD 250 million fine under proposed privacy law reforms.

Attack Vector Detail

The attackers obtained credentials from a third-party IT service provider that had access to Medibank's systems. Using those credentials, they accessed Medibank's ahm and international student health insurance platforms over several weeks before detection. Medibank's security tools detected the activity. An alert was generated. The alert was not acted upon promptly enough to prevent data exfiltration.

The attackers, attributed to REvil-affiliated actors based in Russia, stole approximately 200GB of data including health claims records, diagnosis and procedure codes, and personally identifiable information for all 9.7 million affected individuals.

Breach Pattern Timeline

October 12, 2022

Medibank — Australia's largest private health insurer covering ~3.9 million customers — detects unusual activity in its IT network. Activates incident response.

October 13, 2022

Medibank publicly confirms cyberattack. Initially states no customer data accessed.

October 19, 2022

Medibank revises disclosure: customer data WAS accessed. Attribution emerges to REvil-linked Russian threat actors.

October 20, 2022

Threat actors begin direct extortion demands of Medibank — $10M ransom (~$15M AUD). Medibank publicly refuses to pay, citing the precedent it would set.

November 9, 2022

Threat actors publish first batch of stolen Medibank data on dark web — includes 'good list' and 'bad list' files identifying customers with sensitive medical records (mental health, drug/alcohol treatment, abortion procedures, HIV diagnoses). Public disclosure causes significant harm to affected individuals.

November 10-30, 2022

Threat actors publish additional batches of customer data. Australian Federal Police and Australian Signals Directorate investigate. Significant public outrage about disclosure approach.

February 2023

Australian Federal Police publicly attribute Medibank breach to a group of Russia-based criminal hackers and identify some specific individuals. Australia's first use of this attribution-and-naming approach.

January 2024

Australian government issues sanctions against Aleksandr Ermakov for the Medibank breach — Australia's first cyber-sanctions action.

2024-2026

Australian Information Commissioner litigation against Medibank ongoing for $50,000-per-affected-individual penalties — potentially $200B+ exposure if maximum applied. Ongoing class action claims. Medibank case is foundational precedent for Australian breach response and sanctions framework.

Total impact: 9.7 million customers' data accessed (3.9M Medibank + 5.1M ahm/international subsidiaries), $10M ransom refused, sensitive medical records weaponized for selective disclosure, foundational precedent for Australian breach sanctions framework and patient harm assessment.

Executive Lessons

The Medibank breach demonstrated that cyber insurance does not protect an organization from the reputational and regulatory consequences of a healthcare data breach. Medibank's decision not to pay the ransom — guided by government advice and the view that payment would not guarantee data deletion — resulted in the publication of highly sensitive patient data including HIV status, mental health treatment records, and substance abuse information. The breach also generated significant regulatory action against Medibank for inadequate data protection practices.

Related Reading

Private Equity Implications

For PE sponsors with healthcare portfolio companies, Medibank established that health data breaches carry regulatory, legal, and reputational consequences that exceed payment card breaches in severity. Any portfolio company holding health claims, diagnosis, or treatment data must be treated as a priority security investment target.

How Cloudskope Can Help

Cloudskope's healthcare security practice evaluates health data protection controls, third-party access management, and detection response processes against the specific threat profile facing healthcare organizations holding sensitive clinical data.

Frequently Asked Questions

What was the Medibank breach?

In October 2022, Australian health insurer Medibank disclosed that ransomware operators had accessed and exfiltrated data on approximately 9.7 million current and former customers, including extensive medical records detailing treatment history, mental health information, and substance abuse treatment. Medibank refused to pay the ransom; the attackers published the data on dark web sites in installments through November and December 2022.

How did attackers access Medibank?

Attackers used compromised credentials for a Medibank IT administrator that had been obtained from a third-party IT vendor through unspecified means (likely infostealer malware). The credentials provided access to Medibank's internal systems including the database containing customer medical records. The absence of additional access controls beyond credentials allowed the compromise.

What data was exposed in the Medibank breach?

Exposed data included names, dates of birth, Medicare numbers, passport numbers, contact information, and detailed medical records including treatment dates, doctor names, procedures, mental health treatment, substance abuse treatment, and pregnancy termination records. The medical detail in the exposure made it uniquely harmful — the data revealed health information that affected individuals had not voluntarily disclosed.

Did Medibank pay the ransom?

No. Medibank's CEO David Koczkar publicly refused to pay the ransom, citing the moral hazard of incentivizing further attacks and the lack of guarantee that paying would prevent publication. The attackers published the data publicly in response. Australian authorities subsequently announced that paying ransoms in such cases could violate Australian sanctions law because the attackers were Russia-based.

What did Medibank establish for healthcare data security?

Medibank became Australia's most consequential cyber incident, prompting comprehensive privacy and security law reform including new mandatory breach reporting timelines, increased penalties (up to AUD $50 million per incident), and the creation of a dedicated National Cyber Security Coordinator. For health insurers and healthcare organizations globally, Medibank established that medical record exposure produces qualitatively different harm than financial data exposure and warrants correspondingly stronger controls.