Medihack compo probe
Prominent lawyers look into data-breach claim
AN INVESTIGATION into whether Medibank customers are entitled to compensation over the health insurer’s data breach has been launched.
More than 9.7 million Australians have had their personal data breached after the credentials of an employee with high-level access to Medibank systems were obtained and sold to hackers on a Russian cybercriminal forum.
The group has been releasing customer data on a dark web blog linked to the REVil Russian ransomware group since Wednesday.
High-profile law firm Maurice Blackburn announced on Sunday it was investigating a legal claim against Medibank for “one of the most serious data breaches in Australian history”. “Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” principal lawyer Andrew Watson said.
“As custodians of customers’ personal health information, Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers, including appropriate security and monitoring systems to protect against unauthorised access or disclosure of that data.”
Federal police confirmed on Friday that Russian cyber criminals were behind the attack on the private health insurer. In response, a standing cybercrime operation targeting hackers has been established comprising 100 officers from the Australian Federal Police and the Australian Signals Directorate. The government has not ruled out the introduction of laws making it illegal for companies to pay ransoms to hackers.
Hackers had requested a $US10m ($A15.1m) from Medibank to prevent the leak but on advice from the Australian Federal Police and the government, the health insurer refused to pay up. Speaking on Sunday, Cyber Security Minister Clare O’Neil said the company had made the “right decision”.
“The idea that we are going to trust these people to delete data that they have taken off and may have copied a million times is just frankly silly,” she told ABC’s Insiders. “I think that was the right decision. And we are standing strong as a country against this. We don‘t want to fuel that business model and that’s what happens when ransoms are paid.”