Key Points
- Medibank said its investigation into the attack had now revealed the criminal had access to the personal data of all its customers.
- Significant amounts of health information have also been compromised.
Personal data of nearly four million Medibank customers was accessible to hackers behind an attack on the health insurer, the company says.
In an investor update on Wednesday morning, Medibank said its investigation into the attack had now revealed the criminal had access to the personal data of all its customers across ahm and Medibank brands, as well as international student customers.
Significant amounts of health information have also been compromised.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data," Medibank chief executive officer David Koczkar said.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.
“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”
In a briefing with investors on Wednesday, Mr Koczkar said a hike to premiums would be delayed until 16 January 2023 for some bank and ATM customers.
"Our priority now is to safeguard our customers and their data given we now know that data has been stolen," he said.
Mr Koczkar confirmed the company received multiple samples from the cyber criminals containing stolen data in recent days, leading its investigation to conclude all personal data had been exposed.
Medibank technology and operations group executive John Goodall said the company was confident the hackers were no longer in the company's network, but noted its investigations were still ongoing.
"Everywhere we've identified the breach, it's now closed, everywhere [but] the nature of the ongoing investigation is that we discover new things," he said.
We believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantiallyMedibank chief executive officer David Koczkar
"These are all historical events that we're talking about here. And yeah, everywhere that our forensics has identified we've addressed."
Medibank is Australia's largest private health insurer and has 3.9 million customers. The hack could also affect past customers as the insurer is required to keep health records of adult customers for seven years.
The statement also noted that Medibank did not have cyber insurance.
"We currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23 [first half of 2023]. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs," the statement said.
The insurer revealed earlier this month that it had detected "unusual activity" on its network.
It said it had engaged "specialist cyber security firms", . But Medibank said on Tuesday the hack had taken a "distressing" turn after it .
They included files containing Medibank customer data as well as 1000 policy records from offshoot Ahm that had personal and health claims information. It comes after details from international student customers and Ahm were revealed to have been exposed earlier.
LISTEN TO
Scamwatch warns Australians to be vigilant against scams following Optus breach
SBS News
03/10/202208:34
Government set to introduce harsher penalties
Medibank is working with the federal government as well as the Australian Federal Police and the Australian Signals Directorates' cyber security centre as part of the response.
On Tuesday, Home Affairs Minister Clare O'Neil said the National Co-ordination Mechanism, set up to handle the nation's COVID-19 response, had met three times since Saturday concerning the Medicare hack.
"For a cybercriminal to hang this [confidential health information] over the heads of Australians is a dog act. It is scum of the earth, lowest of the low territory," she told Question Time.
Home Affairs Minister Clare O’Neil has called the Medicare hack a "dog act". Source: AAP / MICK TSIKAS
The Albanese Government is set to introduce new legislation to parliament this week that .
Penalties for a serious or repeated breach of privacy will increase from $2.22 million, up to a maximum of $50 million.
The Australian Information Commissioner will be provided with new powers to resolve privacy breaches, and the Notifiable Data Breaches scheme will be strengthened to ensure the Information Commissioner has knowledge of the information compromised to assess the risk to individuals.