Medibank: The Naughty List

On October 13, 2022, Medibank Private — Australia’s largest private health insurer, covering approximately 3.9 million members — detected unusual activity on its network. The company’s security team moved to isolate the threat. They believed they had contained it.

They had not.

What investigators would gradually piece together over the following days was that an attacker had already been inside Medibank’s systems for weeks, quietly moving through internal networks, locating and cataloguing databases containing the most sensitive records in the company’s possession. By the time the containment action was triggered, an unknown volume of data had already been exfiltrated to an external server.

The attacker reached out on October 17, claiming to have stolen the records of 9.7 million current and former Medibank customers and employees — including the complete medical claims history of every one of them. Diagnoses. Procedures. Providers. Prescriptions. Years of intimate healthcare data covering mental health treatment, substance abuse programs, HIV status, cancer treatment, and termination of pregnancy.

The demand: $9.7 million AUD — one dollar per record. Later revised to $10 million USD.

Medibank’s CEO David Koczkar convened the board. The Australian Federal Police were engaged. Cyber security advisors were brought in. And then, on November 7, 2022, Koczkar announced a decision that made headlines across the country:

Medibank would not pay.

What followed was one of the most disturbing post-breach extortion campaigns in the history of cybercrime — not for its technical sophistication, but for its deliberate targeting of human suffering. The attackers, having received no payment, began publishing the records in batches, organized by the most damaging categories they could construct.

The first file they posted on their dark web blog they called the “naughty list.”

Threat Actor Profile: REvil-Linked Russian Cybercriminals

Designation: Attributed to a threat actor associated with the REvil (Sodinokibi) ransomware ecosystem
Attribution: Australian Signals Directorate (ASD), Australian Federal Police (AFP), and the Australian Cyber Security Centre (ACSC) — in coordination with international partners — attributed the intrusion to a single named individual: Aleksandr Gennadievich Ermakov, a Russian national based in Russia, assessed to be a former affiliate operator of the REvil ransomware group.
Origin: Russia; the Australian government formally sanctioned Ermakov in January 2024 — the first time Australia had ever imposed a cyber sanctions designation against an individual.
Primary Mission: Financially motivated extortion through data theft and ransomware deployment
Attribution Notes: The public naming and sanctioning of Ermakov was an extraordinary step for Australia — a country that had previously been cautious about public attribution in cyber cases. The action was coordinated with the United States, United Kingdom, and other Five Eyes partners.

Notorious Operations:

• REvil / Sodinokibi (2019–2021): The REvil ransomware group was responsible for some of the most damaging ransomware attacks of its era, including attacks on the foreign currency exchange Travelex ($2.3M ransom), JBS Foods (world’s largest meat processor, $11M paid), and the Kaseya VSA supply chain attack affecting 1,500+ businesses worldwide.
• Medibank (2022): The operation described above; 9.7 million patients’ records; the most severe data breach in Australian corporate history.

The Entry: A Single Compromised Credential

The Medibank intrusion, like so many before it, began with a stolen credential.

Medibank’s IT environment was partially managed by a third-party IT services provider. An employee of that contractor had a credential — specifically, credentials granting access to Medibank’s environment via a remote desktop protocol (RDP) connection — that had been compromised. The credential appeared in underground markets and infostealer logs that circulated on dark web forums. Its owner did not know this.

The attacker acquired the credential. The credential worked. There was no multi-factor authentication required on this particular access path. The attacker was inside Medibank’s network.

From this initial foothold, the attacker spent weeks performing reconnaissance — moving slowly through Medibank’s internal infrastructure, elevating privileges, and mapping the organization’s data architecture. The objective was clear: ahm (Australian Health Management), Medibank’s subsidiary brand serving younger, price-conscious health insurance customers, maintained a database that contained consolidated claims data for the entire Medibank customer base, including medical claims history.

The attacker found it.

Over the course of the infiltration, the attacker staged and then exfiltrated data in multiple batches. The exact duration of the initial access remains under Australian Federal Police investigation; publicly available information suggests the attacker had persistent access for at least several weeks before the October 13 detection event.

The Data: What Was Taken

The breadth of what was stolen made the Medibank breach uniquely severe among data breaches of its era.

Health insurance claims data is not merely a name and a policy number. It is a longitudinal record of a person’s medical life: every doctor visited, every hospital admission, every diagnostic code, every prescription. It is, in many respects, the most intimate record a person can have — more revealing than bank statements, more sensitive than emails.

The 9.7 million records stolen from Medibank included:

• Full name, date of birth, address, phone number, and email for each customer
• Medicare number and passport details for international students enrolled in Medibank’s student health plans
• Complete medical claims history, including:
  • The names of treating physicians and hospitals
  • ICD-10 diagnostic codes for every condition for which a claim was made
  • Dates and types of procedures performed
  • Drug and substance abuse treatment records
  • Mental health consultation records
  • HIV treatment records
  • Oncology (cancer) treatment records
  • Pregnancy termination records

This was not a database of passwords or credit card numbers. Passwords can be reset. Medical histories cannot be unwritten.

The Decision: Not One Cent

When the extortion demand arrived, Medibank had a choice that no organization wants to face, but which the healthcare sector encounters with increasing frequency.

The attacker’s initial demand of $9.7 million AUD — framed explicitly as one dollar per affected customer — was subsequently renegotiated to $10 million USD. The attackers provided samples of the stolen data to demonstrate credibility: small batches of records, sufficient to confirm the scope and authenticity of the exfiltration.

Medibank’s board and its advisors, including the Australian Cyber Security Centre, reached a conclusion shared by law enforcement agencies globally: paying ransoms does not guarantee data deletion, funds criminal enterprises, and incentivizes future attacks. Australian Federal Police Director of Cybercrime Commissioner Reece Kershaw stated publicly that paying the ransom offered “no guarantee” that data would not still be published.

On November 7, 2022, CEO David Koczkar issued a public statement:

“After considering the advice of cybercrime experts, we believe there is only a limited chance paying the ransom would result in the return or destruction of the data… We are also very conscious that paying the ransom could have the unintended consequence of encouraging further attacks on Australian businesses and other organisations.”

It was the right call in principle. What followed tested that principle severely.

The Publication: The Naughty List

The attackers had established a blog on the dark web — an increasingly common extortion tool in the post-double-extortion era — and had threatened to publish data unless payment was received. When no payment came, they began publishing.

The first batch, released in mid-November 2022, was labeled in the post by the attackers as the “naughty list” — a deliberately dehumanizing term applied to the most sensitive category of records in the database: patients who had received treatment for HIV, mental health disorders, drug and alcohol abuse, and pregnancy terminations.

The implications were immediate and devastating for the individuals named. In the days following the publication, mental health helplines reported surges in calls from people who had been outed in the data. Victims described anxiety, humiliation, and fear — of workplace discrimination, relationship consequences, family fallout, and the permanent exposure of medical details they had never disclosed to anyone outside a clinical setting.

Subsequent batches followed:

• “Good list” — a second category, ostensibly less sensitive, comprising standard claims records
• “Abortions list” — records specifically tagged by the attackers as involving termination of pregnancy procedures
• “Booze” and “drugs” list — records involving substance treatment
• Senior figures with sensitive diagnoses — the attackers explicitly targeted individuals they appeared to have identified as prominent or high-profile

Each publication was accompanied by posts on the attackers’ dark web blog taunting Medibank and the Australian government. The campaign had an explicit theatrical dimension: the attackers were performing cruelty as leverage, and as punishment for non-payment.

The Australian government responded with unusual directness. Home Affairs Minister Clare O’Neil called the breach “a crime of the most heinous nature.” Prime Minister Anthony Albanese described it as “reprehensible.” The Australian Cyber Security Centre issued technical advisories and worked to get the dark web posts removed from indexing.

The publication campaign continued sporadically through December 2022 before eventually ceasing — though the data was available in criminal marketplaces for months afterward.

The Sanctions: Australia Names a Name

On January 23, 2024 — fourteen months after the breach — the Australian government took a step without precedent in its history.

Foreign Affairs Minister Penny Wong announced that Australia was imposing its first-ever cyber sanctions against a named individual: Aleksandr Gennadievich Ermakov, a 33-year-old Russian national. The sanctions imposed a travel ban and asset freeze against Ermakov and made it a criminal offense for any Australian to provide assets to him — including cryptocurrency payments.

The designation was coordinated with the United States, which simultaneously listed Ermakov under OFAC sanctions, and the United Kingdom.

Australian Federal Police Commissioner Reece Kershaw stated directly: “We know who you are.” The AFP identified Ermakov as a member of the cybercriminal ecosystem associated with the REvil ransomware group, operating out of Russia.

Russia did not extradite him. It almost certainly never will. But the public naming served a purpose that law enforcement increasingly pursues in the absence of extradition: attribution as deterrence, and as a statement to victims that their government had identified the responsible party.

The Reckoning: What Medibank Owes

The Australian Information Commissioner launched a formal investigation into whether Medibank had taken reasonable steps to protect the personal information it held under Australia’s Privacy Act 1988.

In 2024, the Commissioner found that Medibank had failed to take reasonable steps to protect personal information — including the failure to implement adequate authentication controls on privileged access systems, and the failure to implement MFA on the RDP access path exploited in the intrusion.

In a landmark decision in 2025, Medibank was found to have breached the Privacy Act across multiple counts and faced potential civil penalties. The case set precedent for organizational accountability in healthcare data breaches in Australian law.

The class action brought by Medibank customers moved toward settlement — with the number of people potentially entitled to compensation representing one of the largest class actions in Australian legal history.

No organization can hold 9.7 million patients’ most intimate medical secrets and treat the protection of that data as a cost center. The Medibank breach made that principle expensive.

---

Attack Chain: Medibank — Data Extortion via Healthcare Records

graph TD
    A["🇷🇺 Aleksandr Ermakov\n(REvil-linked, Russian national)\nFeb 2024 sanctioned by\nAustralia / US / UK"] --> B["Reconnaissance\nMedibank IT Supply Chain\nThird-party managed services\nprovider identified"]

    B --> C["Credential Acquisition\nThird-party IT contractor\nemployee credentials stolen\n(infostealer / dark web)\nNo MFA on RDP path"]

    C --> D["Initial Access\nRemote Desktop Protocol (RDP)\ninto Medibank network\nWeeks before detection\n~Late Sept / Early Oct 2022"]

    D --> E["Internal Reconnaissance\nNetwork mapping\nDatabase enumeration\nPrivilege escalation"]

    E --> F["Data Targeting\nMedibank / ahm\nClaims Database Located:\n9.7M customer records\n+ complete medical history"]

    F --> G["Staged Exfiltration\nData batched and exfiltrated\nto external servers"]

    G --> H["Medibank Detects\nUnusual Activity\nOct 13, 2022\nContainment attempted"]

    H --> I["Attacker Contact\nOct 17, 2022\nDemands $9.7M AUD\n($10M USD revised)\n1 USD per record"]

    I --> J{"Medibank Decision"}

    J --> K["Nov 7, 2022\nCEO David Koczkar:\n'We will not pay'\nAFP + ACSC advice\n'No guarantee of deletion'"]

    J --> L["Cybercriminal\nPublications Begin\nNov–Dec 2022"]

    L --> M["'Naughty List' Published\nHIV, mental health,\nabortions, drug treatment\nrecords posted to\ndark web blog"]

    L --> N["'Good List' Released\nStandard claims records"]

    L --> O["Subsequent Batches\n'Abortions list'\n'Booze & drugs'\nHigh-profile individuals\ntargeted by name"]

    M --> P["Human Impact"]
    P --> P1["Mental health crisis lines\noverloaded with calls"]
    P --> P2["Patients outed to\nfamilies / employers"]
    P --> P3["HIV+ patients\nexposed publicly"]
    P --> P4["Discrimination fears\nfor millions of\nnamed individuals"]

    K --> Q["🏛️ Government Response"]
    Q --> Q1["Home Affairs Minister\nO'Neil: 'Crime of the\nmost heinous nature'"]
    Q --> Q2["PM Albanese:\n'Reprehensible'"]
    Q --> Q3["ACSC advisory\n+ dark web takedown"]

    Q --> R["Jan 23, 2024\nAustralia's First\nCyber Sanction\nErmakov: travel ban\n+ asset freeze\nCoordinated US / UK"]

    P --> S["Legal Consequences\nfor Medibank"]
    S --> S1["Australian Information\nCommissioner Investigation\nFinds Privacy Act breaches\nFailed to implement MFA\non RDP access path"]
    S --> S2["Civil Penalty\nProceedings 2025\nLandmark precedent for\nhealthcare data liability"]
    S --> S3["Class Action\nMedibank customers\nLargest in Australian\nlegal history by volume"]

    R --> T["Ermakov not extradited\nRussia refuses cooperation\nNamed, known, free"]