Hacker holds Australian health insurer's data for ransom

CANBERRA, Australia (AP) — A cybercriminal was holding for ransom an Australian health insurer’s customer data including diagnoses and treatments, in the nation’s second major privacy breach in a month, officials said on Thursday.

Trade in Medibank shares has been halted on the Australian Securities Exchange since Wednesday when police were alerted that the company had been contacted by what it described as a “criminal” who wanted to negotiate over the stolen personal data of customers.

Medibank, which has 3.7 million customers, said on Thursday the criminal had provided a sample of 100 customer policies from a purported haul of 200 gigabytes of stolen data.

Details included customer names, addresses, birth dates, national health care identification numbers and phone numbers.

Cybersecurity Minister Clare O’Neil said most concerning was that records of medical diagnoses and procedures had also been stolen.

“Financial crime is a terrible thing. But ultimately, a credit card can be replaced,” O’Neil told reporters.

“The threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act,” she added.

The Medibank breach, which O’Neil described as a “ransomware attack,” came a month after a cyberattack stole from telecommunications company Optus the personal data of 9.8 million customers.

The Optus breach, which compromised the personal data of more than one-third of Australia’s population, prompted the government to propose urgent reforms to privacy laws that would increase penalties for companies that fail to protect customers’ data and limit the quantity of data that can be retained.

O’Neil said cybercrime was a growing problem around the world and...