Medibank, one of Australia’s largest private health insurers, detected a ransomware attack in October 2022. The attackers, believed to be part of a criminal organization based in Russia, exfiltrated approximately 9.7 million customers’ sensitive data and threatened to publish it online if Medibank refused to meet its ransom demand. In an unusual twist, the company reported that its systems had not been encrypted by the attackers.

Consistent with both Australian and American agency guidance, Medibank declined to pay the ransom demanded by the hacker group. In response, the hackers started to publish sample patient data on the dark web, organized into “naughty” and “nice” lists depending on the care each patient received. The data included birth dates, passport numbers, and sensitive medical information.

Medibank’s troubles didn’t stop there. As reported in the Australian press, hackers (who also successfully targeted other Australian firms) continue to sell patient data on the dark web, including “logins for personal Australian Tax Office accounts, medical and personal data of thousands of [National Disability Insurance Scheme] recipients, and confidential details of an alleged assault of a Victorian school student by their teacher.”

Furthermore, the Australian Prudential Regulation Authority (“APRA”) announced that it was “intensifying” oversight of Medibank. APRA stated that it would determine whether further regulatory action was necessary following an external review by Deloitte. And one of APRA’s members commented that she “expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.” APRA added that, generally, it would further intensify supervision of firms that failed to comply with Australia’s information security prudential standards.

The full fallout from the Medibank breach is yet to materialize. However, the series of business disruptions that have already befallen the insurer might have some executives second-guessing their decision not to pay ransom. Of course, preventing external access and data exfiltration in the first place would have been their preferred outcome. We’ll see if, in APRA’s view, Medibank did enough to do that but was hacked nonetheless, or failed to adequately secure its systems.