Medibank hack grows
Customers’ records stolen by criminals
MEDIBANK revealed the data hack of its network had exposed all of its 3.9 million customers, with personal health information and Medicare numbers breached.
It is expecting the number of customers who have had their medical records and other personal data stolen to “grow substantially” after criminals hacked into all the company’s brands via a Russian online criminal forum.
Chief executive David Koczkar said the attack was a “a terrible crime”.
“This is a crime designed to cause maximum harm to the most vulnerable members of our community,” he said. “Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data. The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.
“We believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.”
Mr Koczkar said the hack would probably cost the health insurer $25-$35m pre-tax, but warned the bill could be more expensive.
“This cybercrime event continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank, including the quantum of any potential customer and other remediation, regulatory or litigation related costs.”
On Tuesday, Medibank said it had deferred premium increases after confirming its cybercrime event included theft of Medibank customer data, as well as that of AHM and international students. The deferments are estimated to cost the company north of $50m.
“Our investigation has now established that the criminal had access to: all AHM customers’ personal data and significant amounts of health claims data; all international student customers’ personal data and significant amounts of health claims data; all Medibank customers’ personal data and significant amounts of health claims data,” Mr Koczkar said.
“The investigation into the cybercrime event is continuing, with particular focus on identifying which systems and networks were accessed and what data was removed by the criminal. Concurrent to the investigation, Medibank has prioritised preventing further unauthorised entry to our IT network and is continuing to monitor for any further suspicious activity.”
The hackers punctured Medibank’s cyber defence strategy – which is considered best practice and has successfully fended off 250 million attacks known as perimeter attempts a month – to steal “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatments they were prescribed.
This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
On Monday, Medibank apologised to customers after the health insurer sent letters to their dead relatives saying their medical records and other personal data may have been stolen in a cyber attack.