Medibank, an Australian insurance firm, have confirmed that following a data breach hackers have accessed all of their customers’ personal data and a significant amount of health claims data. Estimated to cover more than 3.9 million people they are one of Australia’s largest private health insurance providers. Most recently it has been confirmed that patient information relating to My Home Hospital has also been accessed.
Their announcement from Wednesday states the hackers have accessed:
- All ahm customers’ personal data and significant amounts of health claims data
- All international student customers’ personal data and significant amounts of health claims data
- All Medibank customers’ personal data and significant amounts of health claims data
In their previous update they advised that the incident was under investigation by the Australian Federal Police and shared what they could. This included that they had been contacted by a criminal claiming to have stolen 200GB worth of data. A sample of 100 records was provided to verify this claim. This sample included:
- First names
- Surnames
- Dates of birth
- Addresses
- Medicare numbers
- Policy numbers
- Phone numbers
- Some claims data
Medibank stated that they “expected the number of affected customers to grow as the incident continues”. They have since received a file containing a further 1000 policy records from the hacker. They said they are working with all Australian banks and relevant government agencies to help them take additional steps to increase monitoring of affected customers accounts.
My Home Hospital
My Home Hospital is a service delivered by a joint venture between Calvary and Medibank on behalf of Wellbeing SA and the South Australian Government. Medibank announced that while it is unclear if data has been removed it has definitely been accessed. This includes personal information and health data. They advise anyone admitted on or after 13 October 2022 has not been affected. Patients have already started to be contacted if they are affected. Read more about this most recent development.
Customer Support
Medibank have put together a support package for their customers. All of their customers will have access to specialist identity protection advice and resources from IDCARE and Medibank’s mental health and wellbeing support line. For those that have had their data stolen the support includes:
- Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
- Free identity monitoring services for customers who have had their primary ID compromised
- Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
A scheduled increase in premiums that was due to take place next week on November 1 has now been pushed back to 16 January 2023.
I unreservedly apologise for this crime which has been perpetrated against our customers, our people, and the broader community. I know that many will be disappointed with Medibank and I acknowledge that disappointment. This cybercrime is now the subject of an investigation by the Australian Federal Police. We will learn from this incident and will share our learnings with others. Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.
Medibank CEO, David Koczkar – https://www.medibank.com.au/livebetter/newsroom/post/medibank-cyber-incident-response
Financial Impact
Medibank announced that this is likely to cost the company a minimum of $25-$35 million ($16,214,000-$22,699,600 USD) given that they don’t have cyber insurance. However, these costs do not include any customer compensation, potential legal costs, or regulatory fines they could incur. This comes after the Australian government recently announced their plans to change their rules around data breaches. Plans include increasing the maximum penalty a company could face for a data breach from the current $2.22 million ($1,426,832 USD) to $50 million ($32,428,000 USD).
Customers or patients who are concerned about whether they have been impacted can read more about how to contact someone and the support available on the Medibank website. Read more about the importance of privacy in a business.
