Medibank says hackers had access to ‘all personal data’ belonging to all customers
Medibank, the Australian health insurance company which initially claimed to have foiled a ransomware attack — saying that it had found “no evidence customer data has been removed from our network” — has now confirmed that criminals had access to all of the personal data of all of its customers.
In a statement on Wednesday the company announced that its cybercrime investigation has found the attackers had access to “significant amounts of health claims data” alongside the personal details it held about current and former customers.
“We have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data” the company said.
Medibank shares dropped 18% following the company’s announcement, wiping around AUS $1.7 billion ($1.1 billion USD) from the company’s market value. Trading in Medibank’s shares, which is publicly listed on the Australian Stock Exchange (ASX), was halted last week when the company announced it had received an extortion demand from criminals alongside evidence they had stolen some customer’s data.
Furious Medibank customers have written to The Age newspaper and threatened to bring forward a class action lawsuit against the company for the breach. It quoted a Melbourne woman who said the risk of having the health data released publicly “poses a risk to potential employment” for instance if employers realized someone received mental health treatment and discriminated against them.
Medibank, which was formerly government owned before being privatized as a not-for-profit in 2014, has around 3.7 million customers in Australia and reported an annual group revenue of AUS $6.9 billion ($4.33 billion USD) in 2021.
The company on Wednesday warned the ASX that the incident was going to cost it at least AUS $25 million to address, even before considering customer compensation schemes, regulatory fines, and potential legal costs if it faces a class action.
In its statement, the company said: “Our priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know.”
It said it had put together a support package for these customers, including financial support “for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.”
Free identity monitoring services will also be provided to customers who had their primary ID compromised, and customers who have had to pay to get identity documents re-issued will be reimbursed for that cost.
The company’s chief executive David Koczkar said: “Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data… I apologize unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”