The data, posted in an unencrypted file named ‘naughty-list’ on the dark web for anyone to download, includes details for around 100 patients including if they had been treated for drug use, alcohol abuse, anxiety, cannabis dependence or opioid addictions.

A so-called ‘good-list’ has also been posted, containing customer information including names and home addresses, birth dates and Medicare details.

The ransomware group has posted the details of hundreds of Australian customers so far after it gave Medibank 24 hours on Tuesday to pay a cyber ransom, which the company said it wouldn’t.

The hacker also leaked WhatsApp messages purportedly sent to Medibank chief executive David Koczkar attempting to negotiate a ransom payment.

“Hi! As your team is quite shy, we decided to make the first step in our negotiation,” the message to Mr Koczkar dated October 18 reads. “We’ve found people with very interesting diagnoses.”

The hacking group is expected to continue leaking more data after the initial dump on Wednesday.

“Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,” they wrote in a post on the dark web at around 1am AEDT on Wednesday.

“We’ll continue posting data partially, need some time to do it pretty.”

Medibank confirmed it expected the criminal to continue releasing files on the dark web, and the data published so far appeared to be accurate.

“We unreservedly apologise to our customers,” Medibank chief executive David Koczkar said.

“This is a criminal act designed to harm our customers and cause distress.”

Prime Minister Anthony Albanese confirmed he is a Medibank private customer and can understand the concern of the millions of people affected by the cyber attack of the health insurer and personal information being published on the dark web.

“We’ve … made sure we’ve been clear about the risk that is there, this is really tough for people. I’m a Medibank private customer as well and it will be of concern that some of this information has been put out there,” he said.

“The company (Medibank) has followed the guidelines effectively … which is to not engage in ransom payments.

“We will be … responding extensively. We are concerned and we’ll continue to monitor what is occurring.”

Mr Albanese said “this has been a real wakeup call for corporate Australia”.

Home Affairs Minister Clare O’Neil said she “doesn’t have words to express the disgust” she feels in response to the stolen data being published online.

“The fact that personal health information is being held over their head is just disgusting to me,” she said on Wednesday. “It just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes and other friends of partners around the world, they are just disgraceful human beings and we need to step up and do everything we can to fight back against them.”

Ms O’Neil said the incident was a wake up call for the nation, but she believed with the right changes Australia could become “the most cyber safe county in the world”.

She said it was important Australians understood the release of data was not happening because Medibank did not pay a ransom.

“That is crucial for people to realise,” she said. “What we see so often with these incidents is that companies in desperation, pay a ransom and then the data is used to revictimise and revictimise and revictimise. We cannot live in a world where people can do this sort of thing and benefit financially from it.’’

Ms O’Neil said she activated the national coordination mechanism within a short time of hearing about the breach last month, which was the first time such a measure had been used in response to a cyber attack.

“The former government created this as a crisis response mechanism during COVID and it was set up to deal with the most difficult intractable urgent problems that were being experienced at that time,” she said.

“It is an unbelievably effective way for us to elevate the urgency of a problem across all levels of government and community of business and to bring together people who need to work together to solve a problem who may not use to be working together.’’

Ms O’Neil said important health information of Australians would be released over coming days and weeks and urged for it not to be republished by media or on social media platforms.

On Tuesday the hackers shared a statement with a quote from Chinese philosopher Confucius and told people to sell their Medibank stocks along with an ultimatum for the insurance giant.

“A man who has committed a mistake and doesn’t correct it is committing another mistake. Confucius,” they wrote. “Data will be publish in 24 hours.”

Also on Tuesday Medibank chief executive David Koczkar said he was “devastated” for customers, saying they “deserve privacy”. But he said if Medibank caved to the demands of cyber criminals it would make Australia a softer target for repeat attacks.

“This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” Mr Koczkar told The Australian.

“In fact, you just can’t trust a criminal. It’s more likely that this will put more of our customers at risk through increased extortion and actually make Australia a bigger target. That’s consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom.”

Mr Koczkar said investigations into the incident showed the criminal accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.

The criminals also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

Some 5200 My Home Hospital patients also had some personal and health claims data accessed, and around 2900 next of kin of these patients have had some contact details accessed.

Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers were not accessed, but Medicare numbers (but not expiry dates) for ahm customers were caught up in the breach as were passport numbers (but not expiry dates) and visa details for international student customers.

As The Australian previously reported, the criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

Founder of the UK’s National Cyber Security Centre Ciaran Martin said there was a “serious safe haven problem” faced by countries like Australia and Britain in regards to Russia and a number of other nations allowing cyber gangs that targeted western nations to operate freely within them.

“I‘m afraid we have to face up to the reality that they (gangs) are pretty effective, well organised … and able to operate with impunity,” he said.

“This threat is here and it‘s harder to do something about it than it is for threat actors based in unfriendly countries with whom we don’t have law enforcement arrangements. So we have to treat data as the valuable commodity it is and protect it properly and harden our defences.”

Australian Strategic Policy Institute‘s international cyber policy centre director Fergus Hanson said what was unfolding was “ the best outcome we could have hoped for” and praised Medibank in not paying a ransom.

“Paying a ransom will just encourage further attacks,” he said.

“So it‘s a hard pill to swallow – having patient data released out there and people’s records – but it’s the best outcome for Australians in terms of preventing future attacks on healthcare sectors.”

More Coverage

AFP investigating Medibank leak

Sarah Ison

Medibank hackers’ new threat

David Swan

Originally published as Medibank hacker posts data of drug addicts, customers