Medibank hackers announce ‘case closed’ and dump huge data file on dark web

The cybercriminals behind the Medibank cyber-attack have posted on the dark web what appears to be the remainder of what customer data they took from the health insurer, stating it is "case closed" for the hack.

On Thursday morning, the blog - which returned online after several days of being offline last week - posted "Happy Cyber Security Day!!! Added folder full. Case closed." and included a file that has several compressed files amounting to over 5GB.

Guardian Australia has not verified the files, but the file size and the comments on Thursday indicate it could be the full amount of information the hackers took from the Australian health insurer.

The hackers had previously told Medibank in communications prior to the data dump that they were able to extract around 200GB of customer files compressed to 5GB.

Medibank has been contacted for comment.

The breach covers 9.7 million current and former customers, including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.

The insurer says health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures.

There were also 5,200 My Home Hospital patients who had their personal and health data accessed, and 2,900 next of kin of these patients who had some contact details accessed.

It is the first drop from the hackers in over a week, and the sixth overall since Medibank refused to pay a US$10m (AU$15m) ransom. The Australian federal police have said the group are located in Russia and are believed to be connected to the REvil ransomware group.

On 20 November the group posted 1,500 records related to claims on chronic conditions such as heart disease, as well as the patient details of people with cancer, dementia, mental health conditions and infections.

Prior to then, 123 customer claims associated with terminating pregnancies, mental health issues, and drug and alcohol use were posted on the blog, along with hundreds of customers' personal details. Those details include names, addresses, dates of birth, phone numbers, email addresses and gender - but not medical information.

The AFP has said it would seek the assistance of Russian authorities through Interpol to help track down the hackers. It also has a parallel investigation aimed at protecting people whose data has been posted in the hack, by scouring the internet for where the data might be posted and where people may be attempting to profit or scam people from it.

This week, in response to the Optus and Medibank breaches, the parliament passed legislation that can result in businesses being fined $50m for repeated or serious data breaches.