Medibank
When Australia's largest health insurer refused to pay, the attackers published abortion records, addiction histories, and HIV status by way of demonstration.
In October 2022, Medibank — Australia's largest private health insurer — disclosed that an attacker had been inside its network. By the time the breach was contained, the personal information and medical claims data of roughly 9.7 million current and former customers had been exfiltrated. In a country of 26 million, that was a substantial fraction of the adult population.
A refusal, and what followed
Australian government policy at the time was already trending against paying ransoms, and Medibank, after consultation with regulators, publicly refused the attackers' demand. The attackers — a group linked to the REvil operation — responded by releasing the most sensitive subset of the data in batches, organized into files with deliberately confronting names: a "naughty list", an "abortions" file, a file of customers with HIV.
The disclosures were calibrated for maximum pressure on the company and maximum harm to individuals. Australian mental-health hotlines reported elevated call volumes from people whose medical history had just become publicly searchable.
A long legal tail
The Australian Federal Police identified a Russian national as the principal operator. The Australian government imposed its first-ever cyber sanctions on him personally. Class actions followed against Medibank; the Office of the Australian Information Commissioner opened an investigation that would run for years.
What the chronicle remembers
Medibank made the case, in front of an entire country, that the question is no longer just whether you pay. It is what an attacker can do to people when you don't, and how a society chooses to weigh that against the wider damage of normalizing ransoms.