Update as of 1 December 2022: Medibank has confirmed that more stolen customer data has been released on the dark web. Certain reports are suggesting that the hackers have released all files remaining in their possession.
In recent weeks, cyber security has been top of mind for people across Australia, with major hacks targeting some of the country’s largest organisations, including telecommunications giant Optus and insurance provider Medibank.
In September 2022, Optus notified its customers that it had fallen victim to a cyber attack. Upon further investigation, it was revealed that millions of current and former customers’ details and ID documents had been compromised. Only a month later, Medibank was targeted by online hackers, who accessed the data of roughly 9.7 million people. According to ABC News, as many as 20,000 International students’ health claims data – including service provider name and location, the type of medical service received, and the codes related to procedures and diagnoses – are believed to have been accessed.
Medibank’s cyber attack has been particularly controversial and concerning due to the very sensitive and private nature of health records. Unfortunately, the fears of many Medibank customers became a reality when Medibank refused to pay the ransom demanded by the hackers. In response, the criminals posted a file of abortions – which contained the names of several Medibank policyholders – on a blog linked to a Russian ransomware group called REvil. In more recent days, the hackers released thousands more health records, exposing an array of health conditions.
Without question, Australian citizens and permanent residents have every right to be worried about the release of their personal information. However, one of the most severely affected demographics of the Medibank attack will undoubtedly be members of the international community in Australia, including international students.
For them, this isn’t a mere inconvenience – it’s a threat to life as they know it.
“I felt so helpless and confused,” – The harsh reality for Medibank customers
For Nayonika Debashish Bhattacharya (they/she), a UNSW international student and Medibank policyholder, the news of the cyber attack was gut-wrenching.
“First, it was an overwhelming sense of panic and fear,” they say. “It got to a point where I went numb, could not process anything, and did not know what to do because I felt so helpless and confused. My eyes read the information, but my brain was panicking.”
According to Nayonika, their anxiety was compounded by the startling sense of indifference among locals: “It felt very dehumanising. No one around me seemed to be worrying about it as much as I was. [When I would bring it up,] it was laughed off with a ‘Oh yeah, all data is so publicly available anyway, you will be fine’ attitude. The repercussions it could and will have on some people are obviously lost on the community.”
Nayonika contextualises the severity of the breach with the example of LGBTQIA+ international students, many of whom could face persecution if their data becomes public.
“Young, queer migrants [are] at a high risk of being exposed to trolls on the internet or even to unsupportive behaviour from their home countries if [their] information is sold off readily. How do you recover from something like that?” asks Nayonika.
Exposed abortion data could mean dark days lie ahead
The released abortion records are an especially troubling development in the breach. While discretion is important for all medical procedures, it is absolutely essential in pregnancy terminations. Not only is abortion illegal in many countries, but it is highly restricted and stigmatised in several others – even those where it is legal.
So, what happens when this incredibly personal decision is made public against your will? According to former sexual and reproductive health researcher, Kate MacFarlane, the potential consequences are dire.
“This breach puts people at serious risk, and this may be particularly the case for those who are from or have family in places where abortion is still culturally stigmatised or legally restricted. Much of this may have to do with social, familial, and reputational risk,” she explains.
Kate, who has previously researched abortion experiences in Turkey, highlights that the preservation of privacy is vital on countless levels.
“It protects people who are suffering from domestic violence. It protects people who are part of cultures where premarital sex is extremely stigmatised. It protects people who have suffered sexual assault where the disclosure of that may impact their personal safety,” she says.
“A breach like this has effectively compromised this right to privacy and the protections it affords people. Even for members of the international community who have legally accessed abortion in Australia, this revelation to loved ones and broader social circles back home could be extremely socially compromising.”
An uncertain future
Because the breach happened so recently, it’s hard to tell in many ways what the future holds. Will the hackers release more files? Will Medibank customers be compensated for this privacy violation? Only time will tell.
But one thing we do know? The impacts of the breach on affected international students are likely here to stay.
“The impacts of this could be long-lasting both at the individual and societal levels. People could endure long-term consequences with their families and communities as a result of this information becoming public,” says Kate. “At a broader level, a breach like this creates what we call a chilling effect. It makes people scared about potential consequences of seeking abortion care or using insurance to cover their abortion procedures.”
Nayonika echoes this sentiment, explaining that “consent and privacy were violated in so many ways, with no thought for how they would harm these students – temporarily or for a long time.”
While there is hope that both Medibank and the federal government will consider international students in their responses, only time will tell on this front, too. In the meantime, all we can do as a community is offer compassion to the impacted international students; in most cases, it goes further than you might think.