Russian hackers stole 9.7 million Medibank records. Then they sorted the victims. "Good-list": names and dates of birth. "Naughty-list": the sensitive stuff. Abortions. Mental health treatment. HIV status. Drug and alcohol rehabilitation. Published on the dark web. Sorted by how much damage the information could do. Patients who had told nobody -- not family, not friends, not employers -- about their abortion, their rehab, their HIV status had those secrets published on the internet by hackers who categorised them by shame. Medibank refused to pay the ransom. Cybersecurity experts supported the decision. But the data is out there. Permanently. Nine point seven million Australians. Their most private medical moments, sorted into "good" and "naughty" by criminals, published forever. The OAIC asked a Federal Court to fine Medibank up to $21.5 billion. Twenty-one point five billion dollars. $2,500 per violation, multiplied across 9.7 million people and multiple data categories. Medibank failed to take reasonable steps to protect the health data of nearly 10 million Australians. The breach came weeks after Optus exposed 9.8 million records. In 30 days, approximately 20 million records were compromised -- in a country of 26 million people. Three-quarters of Australia, breached in a month. Optus lost your passport number. Medibank lost your abortion record. Two companies, four weeks, and most of Australia exposed. The penalty hearing will determine whether $21.5 billion in fines is proportionate. For the patients whose HIV status was published on the dark web, no fine is proportionate.
What they claim: Medibank, as a health insurer, held the most sensitive category of personal data: health claims records detailing medical treatments, diagnoses, and procedures.
What we found: Russian hackers linked to the REvil ransomware group stole 9.7 million Medibank customer records in October 2022. The stolen data included not just names, dates of birth, and Medicare numbers, but detailed health claims data: specific medical procedures, diagnoses, and treatment histories. The hackers published the data on the dark web in batches, sorting victims into categories they called "good-list" and "naughty-list." The "naughty-list" contained the most sensitive records: abortion procedures, mental health treatment, HIV status, drug and alcohol rehabilitation. Patients who had sought treatment for the most stigmatised health conditions -- conditions they may not have disclosed to family, employers, or partners -- had their medical histories published on the internet, sorted by how damaging the information was. Medibank refused to pay the ransom, citing advice from cybersecurity experts that payment wouldn't guarantee data deletion. The decision was defensible. The consequence was that millions of Australians' most intimate health secrets were published permanently.
What they claim: Medibank describes comprehensive data protection for member health information
What we found: The Medibank breach has cost over $375 million ($125M+ direct costs plus a $250M APRA penalty). Victoria Police linked 11,000 cybercrime cases directly to the leaked Medibank data — criminals using stolen health records for identity fraud, blackmail, and targeted scams. 9.7 million Australians' health records were leaked, including mental health, substance abuse, and pregnancy termination data.
What they claim: Medibank holds health claims data under obligations of confidentiality as a regulated health insurer.
What we found: The Medibank breach demonstrated that health insurance claims data is the most dangerous category of personal information in existence. A financial data breach exposes numbers that can be changed -- credit cards, bank accounts. A health data breach exposes conditions that cannot be changed and may carry social stigma for life. Patients who sought abortion had their procedures published. People living with HIV had their status disclosed. People who sought addiction treatment had their recovery exposed. None of these health conditions can be "reset" like a password. The social consequences -- family rejection, employment discrimination, relationship destruction -- are permanent. Health insurers hold this data as a matter of business necessity: they process claims, which requires knowing what procedures were performed. But the Medibank breach proved that the business necessity of holding this data is inseparable from the catastrophic risk of losing it. Every health insurer in the world holds data this sensitive. Medibank proved what happens when that data escapes.
What they claim: Medibank is Australia's largest private health insurer, entrusted with the health data of nearly 10 million Australians.
What we found: The OAIC filed Federal Court proceedings against Medibank seeking penalties of up to $21.5 billion -- calculated at $2,500 per violation multiplied by 9.7 million affected individuals across multiple data categories. The scale of the proposed penalty reflected the unprecedented sensitivity of the data and the severity of the breach. The investigation found Medibank failed to take reasonable steps to protect personal information, including inadequate access controls and insufficient monitoring of its systems. Baker McKenzie filed a class action on behalf of affected customers. The breach occurred weeks after the Optus breach -- meaning Australia experienced two of its worst-ever data breaches within a month. Together, Optus and Medibank exposed data on approximately 20 million people in a country of 26 million. In the space of 30 days, roughly three-quarters of Australia's population had their data compromised.