The hacker behind the cyber-attack on Medibank set a US$10m price on not releasing the data, they claimed, alongside a new leak of apparently hacked records that purports to contain abortion health information.
In the early hours of Thursday on a dark web blog linked to the REvil Russian ransomware group, the attacker posted that they initially sought US$10m from Medibank, then reduced the price.
“We can make discount 9.7m 1$=1 customer,” they said.
“Medibanks [sic] CEO stated, that ransom amount is ‘irrelevant’. We want to inform the customers, that he refuses to pay for yours [sic] data more, like 1 USD per person. So, probably customers data and extra efforts don’t cost that.”
In the second leak this week, the group has posted a file labelled “abortions”. The first dump was limited to a few hundred megabytes and included hundreds of names, addresses, birthdates, Medicare numbers and hospital addresses posted as “good list” and “naughty list”.
In screenshots of what the group claims to be WhatsApp communications between them and Medibank, the “naughty list” is said to include claims associated with high-profile names related to drugs or mental health issues.
The chat logs also include what the group claims to be CEO David Koczkar’s mobile number.
Medibank has said 9.7 million current and former customers are affected by the breach. That includes 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.
The insurer says health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures.
There were also 5,200 My Home Hospital patients who had their personal and health data accessed, and 2,900 next of kin of these patients who had some contact details accessed.
In a statement, Koczkar condemned the latest release of information from the group.
“The release of this stolen data on the dark web is disgraceful,” he said.
“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web.
Sign up to Guardian Australia’s Afternoon Update
Our Australian afternoon update email breaks down the key national and international stories of the day and why they matter
Medibank has urged the media and others to not download the data from the dark web and to refrain from contacting customers directly.
The Australian federal police has also warned people it could be an offence to download the data.
“We use the powers and authorities of all of our agencies to disrupt the sale and distribution of the unlawfully obtained data,’’ AFP assistant commissioner cyber command, Justine Gough, said on Wednesday.
The AFP announced on Wednesday that it would expand Operation Guardian – which was set up to protect the 10,000 Optus customers who had their personal information posted online earlier this year – to those Medibank customers exposed.
The home affairs minister, Clare O’Neil, told parliament on Wednesday the hackers are “scumbags” but said the government had been preparing for the eventuality of the data being published.
A “national coordination mechanism” has been put in place between Home Affairs and the Health Department that includes protecting government data, coordinating with state police, working with people who are affected and providing mental health support and counselling.
She empathised with those hit by the attack, noting both she and the prime minister, Anthony Albanese, are Medibank customers.