Key points
- An Australian woman is worried her father's psychiatric treatment including ECT will be revealed in Medibank hack.
- She says having to be hyper-vigilant about text and email communications is also harmful to people's mental health.
- Expert says it's problematic to put the responsibility on end users to avoid being scammed.
This story contains references to sexual assault and suicide
Sonia, not her real name, is so worried about the impact the Medibank leak will have on her father's mental health, she has not told him that his details may have been compromised.
Sonia's father is a Medibank customer and has been diagnosed with severe depressive disorder and bipolar disorder.
Last month he was admitted to a psychiatric hospital and Sonia is worried her father's psychiatric inpatient claims data will be exposed, as well as his claims for electroconvulsive therapy (ECT).
ECT involves small electric currents being passed through the brain, a treatment that she describes as historically being "extremely stigmatised" by society.
"This is information that he has the right to control, who knows that about him," she said.
"[There's] a sense of violation and lack of control for him."
On Sunday night, Russian cybercriminals linked to the Medibank hack released a third file called "psychos" to the dark web, which appears to be related to the mental health treatment of some Medibank customers.
It previously .
Hackers have started publishing client data stolen from Medibank on the dark web after the health insurer refused to pay a ransom fee. Source: AAP / Jono Searle
"I think my personal concern is just ... this constant threat of worrying about what messages he can or can't open," she said.
Sonia said the possibility of being scammed had already caused her father anxiety. She said he had brought his phone to her house after receiving a strange text message in January.
"He was saying 'what do I do with this?' and he was shaking and his finger was like, hovering over it, and I said 'dad, don't touch it'."
The mental health toll created by the threat of scams
Sonia is not sure whether the incidents are connected but her father was admitted to hospital soon after receiving the scam text message, and again in October, weeks after being told his driver's licence had been compromised during the Optus hack.
"He's not from a tech native or tech-savvy generation," Sonia said.
She said having access to a smartphone has been vital for her father while he's in hospital as he is not allowed to have visitors.
"It's the only way we can have face-to-face interactions," she said. "And yet this thing that's supposed to be helping him is actually potentially a source of huge distress for him, this constant feeling of threat or unsafety that's kind of looming there every time he gets a text message or phone call from a number or source he doesn't recognise.
"It really affects his self-confidence, which then links into his feelings of unworthiness and suicidal ideation.
"He thinks there's something wrong with him because he can't figure out how to do this when the problem is not him, the problem is that there are people out there with malicious intentions who are committing these crimes."
This thing that's supposed to be helping him is actually potentially a source of huge distress for him, this constant feeling of threat or unsafetySonia*
Sonia is worried about how her father will react if he is told that his health information may also be exposed as part of the Medibank hack.
"While he's in hospital receiving treatment for his mental health, I've been too scared to tell him that there's been a Medibank data breach," she said.
"I'm managing his emails now and I've hidden it from him.
"I don't feel comfortable about the fact that I'm not being fully open with my dad but I'm worried that it's going to adversely affect his mental health treatment."
The data breaches have also impacted Sonia, who is both an Optus and Medibank customer. She is not overly concerned about her health history details as she is a relatively new Medibank customer but as a victim of rape, sexual assault and stalking, Sonia is very worried about her address or other contact details being revealed.
"I'm very careful about who I give my address to, and contact details and yet, potentially if my address is out there, or even my phone number and email address ... [someone] could potentially threaten me in real life by just turning up at my doorstep or by posting me something that makes me feel uneasy, or contacting me online," she said.
"It really, really makes me feel incredibly uneasy and distressed, especially as a person with PTSD [Post-traumatic stress disorder], it can trigger me."
'We are the victims'
Sonia said she supported Optus and Medibank's decision not to pay a ransom to the hackers but said she was "absolutely angry that they're referring to themselves as victims".
"We the customers whose data has been breached, we are the victims," she said.
While both Optus and Medibank have offered impacted customers one-year subscriptions to Equifax, a credit monitoring and identity protection service, Sonia says they are only valid for one year from now and can't be used one after the other to provide a longer period of protection.
"I don't see why Optus should be paying for people who are customers of both Optus and Medibank," she said.
"It's a very detached kind of support that's being offered. I know that there are numbers that they're offering to call for counselling and things, but I don't think that's enough."
She is now considering whether to switch to new providers but is concerned this may put her at more risk as her data will be stored in more places.
"I'm entrusting my data to more parties who could potentially be hacked as well," she said. "It's quite a struggle to figure out what to do now."
Australians are concerned about how to protect their data after leaks from Optus and Medibank.
Call for higher penalties for failing to protect data
Sonia wants to see higher penalties for companies that fail to protect sensitive data and doesn't understand why , as is currently being proposed.
She would also like to see changes to how text messages on mobile phones are delivered, as it is unclear at the moment which ones are coming from legitimate organisations.
"I go through stress every time I receive a phone call from an unknown number, and I'm basically letting all unknown numbers go through to voice mail," she said.
"All these micro-stressors contribute to this elevated, hyper-vigilance, and I don't think it's healthy even for people who don't have a predisposition or pre-existing mental illness - it's really quite harmful.
"I really would like to see more done around trying to protect people from not just the most malicious things but actually talking to traders to really make it easier to identify these things and to reduce the overall little stresses that are adding up."
It's really quite harmfulSonia*
The Australian Communications and Media Authority (ACMA) registered new rules in July this year that require telcos to identify, trace and block SMS scams.
But Sonia would like to see a reduction in the number of text messages that include links for people to click on, and has already been actively contacting companies to unsubscribe from SMS communications.
"I really want to reduce the number of text messages [my dad's] receiving overall and not have him habituated to clicking on any links, even if they're legitimate ones," she said.
"The stress of having to try and figure out, is this a legitimate text message or is this a scam? is stressful.
"Even for myself, all of these micro-stressors are adding up to being incredibly overwhelming."
'I would like to have more secure systems'
Monash University cybersecurity expert Professor Carsten Rudolph agreed it was problematic to give the responsibility to the end user and to have systems where people were expected to be careful.
"I would rather like to have more secure systems and really focus on a way to build our applications that these kind of behaviours don't matter that much," he said.
SMS scams are rife in Australia. (AAP)
Professor Rudolph said it was pretty easy for people to feel overwhelmed and questions should probably be asked about whether it was necessary for everything to be online and the need to share information with everybody.
"Many people can look at maybe reducing some of the unnecessary things," he said.
This could include reducing the number of apps installed on mobile phones, or not signing up for special deals on websites.
"But then at the end, it's kind of the responsibility of the companies and at the end, probably also government to change the regulations to improve security in all these different places," he said.
Professor Rudolph said systems needed to be changed so that it's not an individual's responsibility to figure out if someone had taken a loan in their name for example.
"The people who give loans need to be better in checking identities," he said.
"In many places, consumers can't take that responsibility."
If you or someone you know is impacted by sexual assault, call 1800RESPECT on 1800 737 732 or visit . In an emergency, call 000.
Readers seeking crisis support can contact Lifeline on 13 11 14, the Suicide Call Back Service on 1300 659 467 and Kids Helpline on 1800 55 1800 (for young people aged up to 25). More information and support with mental health is available at and on 1300 22 4636.
supports people from culturally and linguistically diverse backgrounds.
