.png)
Medibank Data Breach 2022
Breach Summary
The Medibank breach of 2022 affected all 9.7 million current and former Medibank customers in Australia — the country's largest health insurer — exposing health claims data, diagnoses, and treatment information for the entire customer base. The attackers threatened to publish particularly sensitive health data about individual policyholders including claims related to substance abuse treatment, HIV status, and pregnancy terminations as extortion leverage.
What Happened
Medibank detected the breach in October 2022. The attacker contacted Medibank demanding $10 million AUD ransom, threatening to publish customer health data. Medibank refused to pay. The attackers published multiple tranches of customer data on a dark web blog, including data on customers with sensitive health conditions, over the following weeks. The Australian government subsequently proposed a AUD 250 million fine under proposed privacy law reforms.
Attack Vector Detail
The attackers obtained credentials from a third-party IT service provider that had access to Medibank's systems. Using those credentials, they accessed Medibank's ahm and international student health insurance platforms over several weeks before detection. Medibank's security tools detected the activity. An alert was generated. The alert was not acted upon promptly enough to prevent data exfiltration.
The attackers, attributed to REvil-affiliated actors based in Russia, stole approximately 200GB of data including health claims records, diagnosis and procedure codes, and personally identifiable information for all 9.7 million affected individuals.
Breach Pattern Timeline
October 12, 2022
Medibank — Australia's largest private health insurer covering ~3.9 million customers — detects unusual activity in its IT network. Activates incident response.
October 13, 2022
Medibank publicly confirms cyberattack. Initially states no customer data accessed.
October 19, 2022
Medibank revises disclosure: customer data WAS accessed. Attribution emerges to REvil-linked Russian threat actors.
October 20, 2022
Threat actors begin direct extortion demands of Medibank — $10M ransom (~$15M AUD). Medibank publicly refuses to pay, citing the precedent it would set.
November 9, 2022
Threat actors publish first batch of stolen Medibank data on dark web — includes 'good list' and 'bad list' files identifying customers with sensitive medical records (mental health, drug/alcohol treatment, abortion procedures, HIV diagnoses). Public disclosure causes significant harm to affected individuals.
November 10-30, 2022
Threat actors publish additional batches of customer data. Australian Federal Police and Australian Signals Directorate investigate. Significant public outrage about disclosure approach.
February 2023
Australian Federal Police publicly attribute Medibank breach to a group of Russia-based criminal hackers and identify some specific individuals. Australia's first use of this attribution-and-naming approach.
January 2024
Australian government issues sanctions against Aleksandr Ermakov for the Medibank breach — Australia's first cyber-sanctions action.
2024-2026
Australian Information Commissioner litigation against Medibank ongoing for $50,000-per-affected-individual penalties — potentially $200B+ exposure if maximum applied. Ongoing class action claims. Medibank case is foundational precedent for Australian breach response and sanctions framework.
Total impact: 9.7 million customers' data accessed (3.9M Medibank + 5.1M ahm/international subsidiaries), $10M ransom refused, sensitive medical records weaponized for selective disclosure, foundational precedent for Australian breach sanctions framework and patient harm assessment.
Executive Lessons
The Medibank breach demonstrated that cyber insurance does not protect an organization from the reputational and regulatory consequences of a healthcare data breach. Medibank's decision not to pay the ransom — guided by government advice and the view that payment would not guarantee data deletion — resulted in the publication of highly sensitive patient data including HIV status, mental health treatment records, and substance abuse information. The breach also generated significant regulatory action against Medibank for inadequate data protection practices.
Related Reading
Private Equity Implications
For PE sponsors with healthcare portfolio companies, Medibank established that health data breaches carry regulatory, legal, and reputational consequences that exceed payment card breaches in severity. Any portfolio company holding health claims, diagnosis, or treatment data must be treated as a priority security investment target.