The saga of the Medibank data breach has been unfolding for several weeks with no end in sight. The violation of patient confidentiality and massive data privacy breach worsens the entire situation.
The Medibank cyberattack is part of a consistent pattern of targeted attacks on healthcare-related organizations in 2022. Exploring how the Ransomware attack started, how Medibank responded, and the consequences of the cyberattack are critical for understanding the state of cybersecurity in the global healthcare industry.
Table of Contents
A timeline of the Medibank Ransomware attack
Medibank, one of Australia’s largest health insurance providers, confirmed a Ransomware attack in October 2022. The news made all the headlines as Medibank Private Limited covers over 3.7 million people and has 4000 employees.
- October 12
Medibank discovered suspicious activity on its network on Wednesday, October 12. As an initial response, Medibank immediately closed down parts of its systems, especially the customer-facing services, to minimize the risk of data loss. Within a few days, they sent out around 2.8 million emails notifying customers about the security incident.
- October 16
Things got much worse for Medibank a week later. The attackers contacted Medibank for ransom negotiations. The extortion started in earnest when the hackers threatened to sell and release the medical data of one thousand prominent media persons, politicians, actors, activists, and bloggers.
- October 20
Medibank confirmed the legitimacy of the hackers’ claims. However, they refused to pay the US$10 million ransom. According to Medibank’s CEO David Koczkar, paying the ransom “could have the opposite effect and encourage the criminals to directly extort our customers,”
- November 8
The hackers retaliated by encouraging Medibank shareholders to sell their shares and threatening massive data leaks if ransom demands were not met. Medibank stayed firm by not negotiating.
- November 9
The next day, the hackers released a “good list” and “naughty list” of customer data on the dark web. This gave Medibank executives another chance to verify the legitimacy of the stolen data.
- November 10
The hackers released a list of patient data related to abortions on the dark web. They brought down their ransom demand to US$9.7 million, which is US$ 1 for each customer. Medibank executives refused to pay this ransom as well.
- November 20
The Medibank hackers released 1500 more patient records on the dark web. This batch of healthcare data included treatment details for people with heart problems, cancer, dementia, delirium, and other mental health issues.
How did the breach occur?
According to Cybersecurity journalist Jeremy Kirk, the hack occurred after hackers gained access to Medibank’s internal servers and violated VPN access after obtaining compromised credentials from the dark web. The hackers also claimed they had access to Medibank’s internal systems for a month before getting discovered.
As per The Saturday Paper, hackers found the login credentials for a support worker at Medibank that lacked two-factor authentication. Once inside the network, the hackers gained virtual access to the entire database of the health insurance provider.
The incident shows that even high-end security technology will fall short if your team members don’t follow basic cybersecurity measures.
What was stolen?
The true extent of the hack left customers and Australian authorities on high alert. The hackers stole data for 9.7 million current and previous customers.
The stolen information included names, email addresses, dates of birth, phone numbers, Medicare numbers, passport numbers, and visa details. Beyond personally identifiable information (PII), hackers stole confidential medical information.
Hackers stole health claims for over 192,000 customers containing confidential medical information. The details included hospital and procedure details, service provider names, and diagnosis codes.
Who’s to blame?
On November 11, the Australian Federal Police (AFP) released a statement accusing a group of Russian cybercriminals for the attack on Medibank. The hackers are linked to a well-known Russian cybercriminal gang called REvil (or Ransomware Evil).
The connection between REvil and the Medibank hack was made when an old REvil dark website started redirecting traffic to a new site that hosts unauthorized Medibank data. Another relation to Russian cybercrime is that the Medibank employee’s stolen login credentials were sold on a Russian dark web forum.
What’s the cost of the Ransomware attack?
While Medicare refuses to pay the US$ 10 million ransom, it still faces an enormous financial bill. According to The Sydney Morning Herald, Medibank faces financial losses of around US$1 billion.
The healthcare provider said the cybersecurity incident would cost up to US$ 35 million in remediation. The amount will likely go up as the cost of potential litigations and class-action suits adds up.
Bloomberg Intelligence analysts estimate that if even 10% of the affected customers join the class action suit and are paid the maximum of $20,000 in damages, Medicare would end up paying around UD$ 960 million. Currently, the company is facing two class action suits. One is from Bannister Law Class Actions and Centennial Lawyers, and another is from Maurice Blackburn.
The healthcare sector’s cybersecurity woes
Sophos launched a report on the State of Ransomware in Healthcare 2022 that found Ransomware attacks on healthcare have doubled in the last year. This sector saw the highest increase in attack volume (66%) and perceived complexity of attacks (67%).
So, what’s making the healthcare sector a target? There are several factors at play here, such as:
1. Private patient information is very lucrative for attackers and sells quickly on the dark web.
2. Healthcare staff works remotely on cloud-connected endpoints, thus expanding the attack surface indefinitely.
3. Employees do not have cybersecurity awareness and ignore security best practices. Simple steps like enabling two-factor authentication and a robust password policy are often overlooked.
4. Hospitals have an extensive network of IoT devices and endpoints that are hard to secure without specialized help.
The way forward
Medibank’s troubles don’t seem to be over yet. There is no guarantee that attackers will cease releasing confidential patient data to the public. The enormous financial hit of up to US$1 billion will add to Medibank’s future problems.
The Medibank case is going to have a fundamental impact on how Australian authorities interact with out-of-state cybercriminals. Australia’s minister for Cyber Security, Clair O’Neil, announced a “cross-agency, permanent force of 100 people whose job will be to hunt down cybercriminals around the world.” The model of policing cybercrimes is due for a drastic change.
Healthcare sector organizations need to brace for a high volume of targeted attacks. For many healthcare service providers, cybersecurity is not a priority. That needs to change as soon as possible.
Partnering with a managed security service provider, like Ace MSS, is the most efficient way to optimize your security posture. With Ace experts as security partners, healthcare institutions can build a multi-layered security environment with accelerated attack response and actionable threat intelligence.