No cyber insurance as Medibank breach hits four million customers

No cyber insurance as Medibank breach hits four million customers

Lack of cyber insurance means the incident will cost Medibank between $25 and $35 million

David Koczkar (Medibank)

David Koczkar (Medibank)

Credit: Medibank

Medibank has confirmed it has no cyber insurance following a breach that has seen cyber criminals access all of its 3.9 million customers' personal data.

The lack of cyber insurance means that the incident could cost between $25 to $35 million, excluding costs accrued in remediation or legal fees. 

Speaking to shareholders and customers, Medibank said that the cyber thieves now have access to all its own customers' personal data and significant amounts of health-claims data, along with that of its ahm and international students’ units. 

Yesterday, Medibank said the breach was bigger than first believed but confirmed on 26 October that all personal data had been accessed. 

The company is now attempting to establish the specific data that has been taken for each customer whom it will contact directly. 

The insurer confirmed that none of its IT systems have not been encrypted by ransomware and it has now “prioritised preventing further unauthorised entry to our IT network”.  

It said it has also bolstered existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties. 

The Australian Federal Police (AFP), Australian Cyber Security Centre (ACSC) and third-party IT experts are now working with Medibank to unravel the breach. 

“Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data,” Medibank CEO David Koczkar said.  

“The investigation into this cyber crime event is continuing, with a particular focus on what data was removed by the criminal. 

“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially. 

“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.” 

Medibank first reported that "unusual activity" had been detected on its network on October 12.

Last week, the insurer said that the data breach was confined to its insurance company sub-brand ahm, as well as international students studying in Australia who use Medibank under its Overseas Student Health Cover (OSHC) service. At the time, it said an estimated 200GB had been taken.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Medibank


EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments