9.7 Million-Record Data Breach at Medibank

In 2022, a hacker accessed Medibank’s system, stole the personal and health data of 9.7 million people, and exposed the stolen files on the dark web. This Australian health insurance company has confirmed the ransomware attackm which could have been avoided with the implementation of multifactor authentication.

Medibank had earlier mentioned that the security incident was because of a mistake by a contractor and a wrong configuration of the firewall; nevertheless, the Australian Information Commissioner (AIC) shared information on the security issues that resulted in the breach in an Australian Federal Court filing. Based on the filing, the cyberattack began with stealing of the credentials of an IT service desk contractor, who used his internet browser account on his work PC to store Medibank usernames and passwords for several accounts. The contractor also utilized his PC to log into his internet browser account on his personal computer, and the credentials were synchronized to his personal computer.

The credentials were used to access a standard account and an administrator account. The administrator account gives access to many – if not all – Medibank systems which include remote desktop access, network drives, and jump box servers that were employed to access Medibank directories and databases. The contractor was not aware that malware was installed on his personal computer and harvested credentials. The threat actor stole the contractor’s credentials on August 7, 2022, and used them to access the Exchange Server of Medibank and the contractor’s admin account on August 12, 2022.

On August 23, 2022,  the threat actor accessed the Global Protect Virtual Private Network (VPN) of Medibank that controlled the remote access to the company system. Between August 25, 2022 and October 23, 2022, various Medibank systems had been accessed including databases that contain Medibank clients’ personal and medical data. At that time, the threat actor extracted approximately 520 gigabytes of files. The stolen information contained patient names, dates of birth, Medicare numbers, gender, contact details, visa information for foreign workers and patients, dates of treatment, diagnosis and procedure numbers, claims details, and names of providers, locations, and contact details.

The AIC mentioned that it was possible to prevent the breach with multifactor authentication enabled. Even if the contractor had higher administrator privileges, the Global Protect VPN of Medibank just needed a username/password or device certificate to give access. Medibank had a security application set up that identified suspicious activity and produced alerts. The software program sent notifications to a Medibank IT security operations email address; however,

they weren’t triaged properly or escalated. Those notifications were first created on August 24, 2022, the day before the threat actor accessed various Medibank systems and exfiltrated a big volume of data. The threat actor accessed the system for 2 months and then was identified.

The AIC claims that Medibank ought to have known the risk to security of not having multifactor authentication since Medibank was handed two reports in 2020 by KPMG and in 2021 by Datacom cautioning that not having multifactor authentication was a critical security problem. The AIC claims Medibank committed a violation of the Australian Privacy Act of 1988 by not taking proper steps to secure the sensitive information it held and is in search of a considerable financial penalty.

The Privacy Act violation penalty was changed in 2022 to $50 million, thrice the value of any benefit acquired from the improper use of data, or 30% of tweaked turnover during the breach, whichever is the higher. The breach happened before the approval of those laws therefore the old penalties are in effect. The maximum old penalties are $2.22 million per violation. The AIC claims that a Privacy Act violation is committed for every one of the 9.7 million people impacted by the breach. That means the highest possible penalty if implemented by the Federal Court, is over $21 trillion.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA