International students in Australia have been left fearful of the repercussions of a major data breach of Australian private health insurance company Medibank, one of five companies authorised to provide compulsory Overseas Student Health Cover (OSHC).

The breach involved hackers accessing the health claim data of approximately 9.7 million current and former customers, including up to 20,000 international students. Compromised data included names, addresses, passport numbers, and sensitive data relating to medical procedures and diagnoses.

When Medibank refused to pay an AUD$15 million ransom to the hackers, sensitive information, including details of customers who had accessed abortion procedures, was published on a blog linked to a Russian ransomware group. The hackers later released more data, including details of various health conditions such as mental health diagnoses.

Impacted international students have been warned to be alert for fraud attempts and scams due to the data breach. However, as the drama has unfolded over the past eight weeks, it has become clear that for many affected students, the emotional toll is significant and has the potential to be long-lasting.

International students have expressed concern that some could face persecution in their home countries if information such as details of abortion or sexual identity became public. President of the University of New South Wales Student Representative Council, International student Nayonika Bhattacharya explained to Australia’s ABC News:

“If you’re a queer student, if you’re seeking certain medical support, surgery or procedures, and if you come from countries where it’s not supportive, essentially it compromises your life safety … if some things get found out, some people won’t be getting the medication they need to survive mental illnesses or other conditions like PTSD and ADHD”

While Medibank’s systems are back up and running after downtime over the weekend as Microsoft Security specialists helped implement tightened security safeguards, the longer-term impacts of the breach on international students are likely yet to be felt.

Experts echo student concerns that the breach may make international students fearful of using their insurance to seek medical care for procedures or conditions that are stigmatised in their home countries. Cyber security experts have also warned that identity and contact information may be used to demand money from friends and families in students’ home countries.

The breach has highlighted the critical importance of cyber security practices in organisations, with the Office of the Australian Information Commissioner commencing an investigation into Medibank’s practices around the handling of personal information. The OAIC will investigate “whether Medibank took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.” Medibank potentially faces civil penalties of up to $2.2 million for each contravention of Australian privacy law.