Medibank customers have been dealt another major blow after the company confirmed today that all of its customers’ personal details were exposed to cybercriminals, along with a “significant number” of health claims.
The hacking scandal now threatens to overshadow the recent Optus hack, potentially affecting millions of customers.
In the company’s cybercrime, business and outlook update for FY23, announced this morning, Medibank revealed that as of yesterday, it had discovered that the criminal behind the breach had access to “all of ahm’s personal customer data and a significant amount of claims data for health, all international students’ personal customer data and significant amounts of health claims data, and all Medibank customers’ personal data and significant amounts of health claims data.’
“As previously reported, we have evidence that the perpetrator deleted some of our customers’ personal and health data, and it is now likely that the perpetrator stole additional personal and health data,” it said.
“As a result, we expect that the number of affected customers could increase significantly.”
Medibank has announced a support package for bereaved customers, which includes a package of financial support for customers who have been particularly vulnerable as a result of crime, access to Medibank’s mental health and wellbeing support line for all customers, access to specialist advice and resources for identity protection, free identity monitoring services for customers whose primary ID has been compromised, and reimbursement for reissuance of identity documents that have been completely compromised as a result of this crime.
Medibank has confirmed that it is operating as normal and is working with the AFP, specialist cyber security firms, the Australian Cyber Security Center (ACSC) and government stakeholders.
He stressed that his “priority is to continue working to understand the specific data that was taken for each of our customers so that we can contact them directly to inform them”.
The company added that cybercrime “continues to evolve and at this stage we cannot predict with certainty the impact on Medibank of any future developments, including the number of potential customers and other costs of remediation, regulatory or legal proceedings”.
Medibank chief executive David Kochkar confirmed that the investigation “found that this perpetrator gained access to the personal data of private health insurance customers and to significant volumes of their health claims”.
“The investigation into this cybercrime is ongoing, with a particular focus on what data was removed by the perpetrators,” he said.
“As we’ve continued to say, we believe the scale of stolen customer data will be greater, and we expect the number of affected customers could rise significantly.
“I apologize unreservedly to our customers. This horrific crime is a crime designed to cause maximum harm to the most vulnerable members of our community.”
Shocked by Medibank’s stunning admission
Meanwhile, attention is drawn to one shocking admission buried in Medibank’s message – the fact that it had no cyber insurance.
“Based on our ongoing cybercrime response, noting that Medibank does not have cyber insurance, we now estimate that a one-off pre-tax charge of $25m-$35m will impact earnings in 1H23. These one-time costs do not include additional potential customer costs and other remediation, regulatory or litigation costs,” the statement said.
Australian cyber security expert Ajay Unni, CEO of cyber security company StickmanCyber, told news.com.au he was shocked by the revelation and said it indicated the company was likely blindsided by the hacker.
“That means it will come out of profit and there could be a significant problem with profitability,” he said, adding that Medibank would now have to fork out for the costs of helping victims as well as the costs of the breach itself.
“It’s very worrying that they don’t see it as a risk.”
Speaking to investors this morning, Medibank CFO Mark Rogers said the company does not have cyber insurance for three reasons.
“It’s a cost, costs have gone up a lot over the last couple of years,” he explained.
“It’s coverage, so how much coverage can you get in terms of the total amount of exposure plus the proportion of the risk and, more importantly, is the actual ability to make a claim.
“So even though we didn’t have cyber insurance, I wouldn’t expect if we did, based on the policies we’ve seen over the last couple of years, that most of the costs that we’re now charging (for $25 million to $35 million) would not even be covered.”
Mr Unni said the Medibank hack was even worse than Optus given the privacy of the information that was compromised.
“Optus disclosed the 100-point identity check, but Medibank has that plus people’s medical records,” he explained.
“You can replace someone’s passport or driver’s license, but you can’t replace their first and last name, date of birth and medical records — including medical history, which some people may not want to make public.
“It’s all there and available to criminals now, so it’s much more complex and disruptive than Optus.”
Mr Uni said Australia was woefully unprepared for cybercrime and said while the Optus and Medibank hacks dominated the headlines, hacks were happening all the time.
“It’s not a matter of if you’re going to be attacked, it’s a matter of when – it’s inevitable,” he said.
“This is a huge concern because consumers are handing over our data to companies… and we need to put an end to data mismanagement and put consumers first.”
News.com.au has contacted Medibank for comment.
Originally published as Major twist in Medibank hack scandal: The company admits all customer data was exposed to crime