The personal details of nearly four million Medibank customers were accessed by the hackers behind the attack on the health insurer, the company said.
In a note to investors on Wednesday morning, Medibank said an investigation into the attack revealed that the perpetrator had access to the personal data of all its ahm and Medibank brand customers, as well as international students.
Significant amounts of medical information were also compromised.
“Our investigation has established that this criminal gained access to all of our private health insurance customers’ personal data and to significant volumes of their healthcare claims,” said Medibank chief executive David Kochkar.
“The investigation into this cybercrime is ongoing, with a particular focus on what data was removed by the perpetrators.
“As we’ve continued to say, we believe the scale of stolen customer data will be greater, and we expect the number of affected customers could rise significantly.
“I apologize unreservedly to our customers. This horrific crime is a crime designed to cause maximum harm to the most vulnerable members of our community.”
In a briefing with investors on Wednesday, Mr Kochkar said the premium increase would be delayed until January 16, 2023 for some bank and ATM customers.
“Our priority now is to protect our customers and their data as we now know that data has been stolen,” he said.
Mr. Kochkar confirmed that the company had received several samples containing stolen data from cybercriminals in recent days, leading the investigation to conclude that all personal data had been exposed.
Medibank’s group head of technology and operations, John Goodall, said the company was confident the hackers were no longer on the company’s network, but noted the investigation was still ongoing.
“Wherever we have identified a violation, it is closed, everywhere [but] The nature of an ongoing investigation is that we are discovering new things,” he said.
We believe that the scale of stolen customer data will be larger and expect that the number of affected customers could grow significantly
Medibank Chief Executive David Kochkar
“These are all historical events that we are talking about here. And yes, everywhere that our criminalistics determined, we examined.”
Medibank is Australia’s largest private health insurer with 3.9 million customers. The hack could also affect past customers, as the insurer is required to keep medical records of adult customers for seven years.
The statement also notes that Medibank does not carry cyber insurance.
“We currently estimate that one-time pre-tax charges of between $25 million and $35 million will impact earnings in the first half of 2023. [first half of 2023]. These one-time costs do not include additional potential customer costs and other remediation, regulatory or litigation costs,” the statement said.
Earlier this month, the insurer revealed it had detected “unusual activity” on its network.
He said he has brought in “specialist cyber security firms” . But Medibank said on Tuesday that the hack had taken a “disturbing” turn .
These included files containing Medibank customer data, as well as 1,000 policy records from the Ahm branch, which contained information on personal and health claims. This comes after it was revealed that details of the international student clients and Ahm had been leaked earlier.
The government is going to introduce tougher penalties
Medibank is working with the federal government, as well as the Australian Federal Police and the Australian Signals Authority’s Cyber Security Center as part of the response.
On Tuesday, Home Secretary Claire O’Neill said the National Coordinating Mechanism set up for the country’s response to COVID-19 had met three times since Saturday about the Medicare hack.
“For a cybercriminal to hang it [confidential health information] above the heads of the Australians – a dog. They are the scum of the earth, the lowest part of the lowland,” she told Question Time.
Home Secretary Claire O’Neill has called the Medicare hack a “canine act”. Source: AAP / MICK TIKAS
Medibank hack is second high-profile cyber crime to hit Australians in two months .
The Albanian government intends to submit a new law to parliament this week .
Penalties for serious or repeated privacy violations will increase from $2.22 million to a maximum of $50 million.
The Australian Information Commissioner will be given new powers to deal with privacy breaches and the Notifiable Data Breach Scheme will be strengthened to ensure the Information Commissioner is aware of breached information to assess the risk to individuals.