David Koczkar (Medibank)
Health insurer Medibank has unveiled a “distressing development” in its cyber hack investigation as criminals claim to have 1,000 ahm records of personal and health data.
The publicly listed company told shareholders that the cyber attack on its data is bigger than first believed, with its own customers and additional ahm and international student customer data also affected.
Medibank said criminals had sent it copies of records of 100 policies allegedly from their system, alongside the 1,000 ahm policy records.
The data hack is now subject to a criminal investigation by the Australian Federal Police (AFP).
“Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen,” Medibank told shareholders.
“We will continue to analyse what we have received to understand the total number of customers impacted and specifically which information has been stolen.”
Medibank CEO David Koczkar “unreservedly” apologised to customers.
“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me,” he said.
“This is a malicious attack that has been committed by criminals with a view to causing maximum fear and damage, especially to the most vulnerable members of our community.
“We continue to work closely with the agencies of the federal government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”
Medibank first reported that "unusual activity" had been detected on its network on October 12.
Last week, the insurer said that the data breach was confined to its insurance company sub-brand ahm, as well as international students studying in Australia who use Medibank under its Overseas Student Health Cover (OSHC) service. At the time, it said an estimated 200GB had been taken.
Medibank said it now expects the number of affected customers to grow and said it is assisting the AFP in its ongoing investigation.
It also told shareholders that it was offering a “comprehensive” customer support package, which will include 24/7 mental health and wellbeing support, support for customers who are in uniquely vulnerable positions and access to specialist identity protection advice with IDCARE for all customers.
It also added it would defer premium increases for Medibank and ahm customers until 16 January 2023 due to the “distress” caused by the hack.
In the wake of the Medibank and Optus hacks, the federal government is proposing to impose $50 million fines on companies for serious or repeated privacy breaches.
Under accelerated planned changes to the Privacy Act, the maximum fine for data breaches will rise from $2.2 million to up to $50 million, 30 per cent of adjusted turnover or three times the value of any benefit obtained through the misuse of information, whichever is the greater amount.
