- An Australian woman is worried her father’s psychiatric treatment including ECT will be exposed in the Medibank hack.
- She says that it is also harmful to people’s mental health to have to be vigilant when it comes to text and email communication.
- Expert says it is problematic to place the responsibility on end users to avoid being defrauded.
This story contains references to sexual assault and suicide
Sonia, not her real name, is so worried about the impact the Medibank leak will have on her father’s mental health that she hasn’t told him his details may have been compromised.
Sonia’s father is a Medibank customer and has been diagnosed with major depressive disorder and bipolar disorder.
Last month he was admitted to a psychiatric hospital, and Sonia is worried that her father’s inpatient psychiatric records will be exposed, as well as his claims about electroconvulsive therapy (ECT).
ECT involves passing small electrical currents through the brain, a treatment that she describes as historically “extremely stigmatized” by society.
“This is information that he has a right to control, who knows that about him,” she said.
“[There’s] a sense of violation and lack of control for him.”
On Sunday night, Russian cybercriminals linked to the Medibank hack released a third file called “psychos” to the dark web, which appears to be related to the mental health treatment of some Medibank customers.
Hackers have started publishing client data stolen from Medibank on the dark web after the health insurer refused to pay a ransom. Source: AAP / Jono Searle
While her 77-year-old father is no longer working, Sonia is concerned that if his details are released, criminals could target him because his age and mental illness make him more vulnerable to blackmail.
“I think my personal concern is just … this constant threat of worrying about what messages he can or can’t open,” she said.
Sonia said the possibility of being defrauded had already caused her father anxiety. She said he had brought his phone to her house after receiving a strange text message in January.
“He said ‘what am I going to do with this?’ and he was shaking and his finger was hovering over it and I said “Daddy don’t touch it”.
The mental health burden created by the threat of fraud
Sonia isn’t sure if the incidents are connected, but her father was hospitalized shortly after receiving the scam text message, and again in October, weeks after being told his driver’s license was compromised during the Optus hack.
“He is not from a tech native or tech savvy generation,” said Sonia.
She said having access to a smartphone has been important to her father while he is in hospital, as he is not allowed to have visitors.
“It’s the only way we can have face-to-face interactions,” she said. “And yet this thing that’s supposed to help him is actually potentially a source of tremendous distress for him, this constant sense of threat or insecurity that kind of looms there every time he gets a text or phone call from a number or a source he knows not again.
“It really affects his self-esteem, which then links to feelings of unworthiness and suicidal thoughts.
“He thinks there’s something wrong with him because he can’t figure out how to do this when the problem isn’t him, the problem is that there are people out there with malicious intent committing these crimes.”
This thing that is supposed to help him is actually potentially a source of immense distress for him, this constant trigger of feelings of threat or insecurity
Sonia is worried about how her father will react if he is told that his health details could also be exposed as part of the Medibank hack.
“While he is in hospital receiving treatment for his mental health, I have been too scared to tell him there has been a data breach at Medibank,” she said.
“I manage his emails now and I’ve hidden it from him.
“I don’t feel comfortable with the fact that I’m not being completely open with my dad, but I’m worried that it’s going to negatively affect his mental health treatment.”
The data breaches have also affected Sonia, who is both an Optus and Medibank customer. She is not overly concerned about her health history, as she is a relatively new Medibank customer, but as a victim of rape, sexual assault and stalking, Sonia is very concerned about her address or other contact details being revealed.
“I’m very careful about who I give my address to, and contact details, and yet, potentially if my address is out there, or even my phone number and email address… [someone] could potentially threaten me in real life by just showing up on my doorstep or by posting something that makes me feel uneasy or contacting me online,” she said.
“It really makes me feel incredibly uneasy and distressed, especially as a person with PTSD [Post-traumatic stress disorder]it might trigger me.”
“We are the victims”
Sonia said she supported Optus and Medibank’s decision not to pay ransom to the hackers, but said she was “absolutely angry that they are referring to themselves as victims”.
“We the customers whose data has been breached, we are the victims,” she said.
While both Optus and Medibank have offered affected customers one-year subscriptions to Equifax, a credit monitoring and identity protection service, Sonia says they are only valid for one year from now and cannot be used back-to-back to provide a longer period of protection.
“I don’t see why Optus should pay for people who are customers of both Optus and Medibank,” she said.
“It’s a very detached form of support that’s offered. I know there are numbers that they offer to call for advice and stuff, but I don’t think it’s enough.”
She is now considering whether to switch to new providers, but is concerned that this could put her at greater risk as her data will be stored in multiple locations.
“I’m handing over my data to multiple parties who can also be hacked,” she said. “It’s pretty hard to figure out what to do now.”
Australians are worried about how to protect their data after leaks from Optus and Medibank.
Ask for higher penalties for not protecting data
Sonia wants to see higher penalties for companies that fail to protect sensitive data and don’t understand why as it is now proposed.
She would also like to see changes in how text messages on mobile phones are delivered, as it is currently unclear which ones come from legitimate organisations.
“I go through stress every time I get a call from an unknown number, and I basically let all unknown numbers go through to voicemail,” she said.
“All of these micro-stressors contribute to this heightened hypervigilance, and I don’t think that’s healthy even for people who don’t have a predisposition or pre-existing mental illness — it’s actually quite harmful.
“I’d really like to see more done around trying to protect people from not only the most malicious things, but actually talking to traders to really make it easier to identify those things and reduce the overall little stresses that add up.”
All of these micro-stressors contribute to this heightened hypervigilance, and I don’t think that’s healthy even for people who don’t have a predisposition or pre-existing mental illness – it’s actually quite harmful
The Australian Communications and Media Authority (ACMA) registered new rules in July this year requiring telcos to identify, track and block SMS fraud.
But Sonia wants to see a reduction in the number of text messages that contain links that people can click on, and has already actively contacted companies to opt out of SMS communications.
“I really want to reduce the number of text messages [my dad’s] receive total and not have him used to click on any links, even if they are legitimate,” she said.
“The stress of trying to figure out, is this a legitimate text message or is this a scam? is stressful.
“Even for myself, all these micro-stressors get incredibly overwhelming.”
“I would like to have more secure systems”
Monash University cyber security expert Professor Carsten Rudolph agreed that putting the onus on the end user and having systems where people are expected to be careful was problematic.
“I’d rather have more secure systems and really focus on a way to build our applications where this kind of behavior doesn’t matter as much,” he said.
SMS scams are rampant in Australia. (AAP)
“But at the moment we don’t have that, so we really have to be careful and probably sometimes you have to be a little annoying and … call the person and ask them if this is actually a real link … and not Don’t use a phone number that’s in that email or in that text message because that could also be fake.”
Professor Rudolph said it was quite easy for people to feel overwhelmed and questions should probably be asked about the need for everything to be online and the need to share information with everyone.
“A lot of people can look at maybe reducing some of the unnecessary stuff,” he said.
This may include reducing the number of apps installed on mobile phones, or not signing up for special offers on websites.
“But at the end, it’s kind of the responsibility of the companies and at the end, probably the government as well, to change the regulations to improve safety in all these different places,” he said.
Professor Rudolph said systems needed to be changed so that it is not a person’s responsibility to find out if, for example, someone has taken out a loan in their name.
“The people making loans need to get better at checking identities,” he said.
“In many places, consumers cannot take that responsibility.”
If you or someone you know is affected by sexual abuse, call 1800RESPECT on 1800 737 732 or visit . In an emergency call 000.
Readers seeking crisis support can contact Lifeline on 13 11 14, the suicide service on 1300 659 467 and Kids Helpline on 1800 55 1800 (for young people up to the age of 25). More information and support with mental health is available at and on 1300 22 4636.
supports people with culturally and linguistically diverse backgrounds.