Hackers behind the Medibank cyber attack have released more sensitive customer data relating to mental health treatment.
The file was posted on the dark web on Monday, where the hackers have previously published data from Australia’s largest private health insurer.
It includes 500 records for people who have had diagnoses of mental illness, among other medical conditions.
The Russian criminals said they didn’t plan to post more information until Friday, saying they will be watching Wednesday’s Medibank shareholder meeting closely.
“There is some more records for everybody to know,” they wrote in an update.
“We’ll announce, that next portion of data we’ll publish at Friday, bypassing this week completely in a hope something meaningful happened on Wednesday.”
Medibank chief executive David Koczkar apologised for the release of the sensitive information.
“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program,” he said.
“This includes mental health and wellbeing support, identity protection and financial hardship measures.”
A number of health and community organisations have called on major social media outlets to pull down posts that share the sensitive information.
Meanwhile, Medibank could face legal action over the data breach.
Law firm Maurice Blackburn confirmed it was reviewing whether customers affected by the hack could be entitled to compensation.
The firm’s principal lawyer Andrew Watson said the breach of data was one of the most serious seen in Australia.
“Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” he said.
“Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers.”
As the government looks for solutions to improve cyber security laws, Home Affairs Minister Clare O’Neil has flagged it could soon be illegal for companies to pay ransom demands to hackers should they be subject to a data breach.
“The way we’re thinking about the reform task … is a bunch of quick wins, things that we can do fast, and the standing up of the new police operation is one of those,” Ms O’Neil told the ABC’s Insiders on Sunday.
Greens leader Adam Bandt said he welcomed the idea of banning ransoms from being paid but indicated other measures needed to be considered.
“We need a holistic review about whether too much data is being kept in the first place, because once you collect all of that data it will be a target for hackers,” he told reporters in Melbourne.
“We need an overall review of whether corporations are keeping too much data in the first place as well as whether that data is being properly secured.”
Mr Bandt said the matter of whether Medibank customers should receive compensation following the hack should be considered.
“It will be much better to prevent these kinds of attacks from occurring and prevent people’s privacy being exposed because if the data wasn’t kept in this way in the first place, people might be safer,” he said.
By Tess Ikonomou and Andrew Brown in Canberra