When Zhan Huang heard that Medibank had been hacked two weeks ago, his heart sank.
The Sydney resident, who works in the education sector, is a customer of both Medibank and Optus.
Just about a month ago, his personal data including passport number was stolen during the high-profile attack on the telco, which exposed the data of almost 10 million Australians.
Now his health information could be in the hands of criminals too.
"Name, date of birth, what visa I was on, my Medicare number and my home address," Mr Huang said, listing information he provided to Medibank.
"I'm angry about how many personal details they asked for.
"And I'm really tired of hearing one company after another having data breaches."
Mr Huang received two separate emails from Medibank about the cyber attack — one was delivered to his current email address and the other was delivered to an email address he used when he was an international student several years ago.
He suspects the data he provided to Medibank during university for overseas student health cover (OSHC) was also hacked.
Medibank first reported "unusual activity" had been detected on its network on October 12.
On Tuesday, the private health provider revealed the cyber attack on its customers' data was much wider than originally thought, and could impact about 4 million current customers along with an unknown number of former customers too.
The company said the data breach impacted its main brand, budget insurance company sub-brand ahm and data collected about international students studying in Australia who use Medibank under its OSHC service.
It's compulsory for all international students to purchase OSHC to meet their visa conditions.
Fears of scams and safety issues
Chinese international student Amber Xu transferred her OSHC service to Medibank about five months ago, but she said she regretted that decision because of the recent data breach.
"I wouldn't choose them if I knew," the engineering student told the ABC.
"But I'm a Medibank user and I have a contract for three or four years. I can't change it."
Ms Xu said she and her parents back in China generally stayed vigilant, but scammers could still try to approach her parents because phone numbers and the home address of her parents provided to Medibank were potentially hacked.
"They might receive a call or something saying, 'Your daughter is in trouble, I need some money,''' she said.
"Lots of parents in China are worried about us if they can't get in touch with us very frequently. This could lead them into traps.
"International students are vulnerable to scams."
Indian international student Nayonika Bhattacharya, who is also a current Medibank customer, agreed.
She said she was also disappointed about the communication from the insurer.
"I'm just genuinely really upset as a customer," she told the ABC.
"Being left in the dark for so many days and then just watching it happens in public is quite a scary experience.
"Myself and a lot of my other friends who are with Medibank are scrambling to figure out what information has been disclosed or not."
Ms Bhattacharya is also the president of the Student Representative Council at UNSW.
She said the medical data breach could have serious repercussions for some of the more vulnerable student cohorts.
"If you're a queer student, if you're seeking certain medical support, surgery or procedures, and if you come from countries where it's not supportive, essentially it compromises your life safety," she said.
"Because if some things get found out, some people won't be getting the medication they need to survive mental illnesses or other conditions like PTSD and ADHD, or if you need affirmation surgeries and things like that.
"So it's literally putting people's lives at risk and it could mean that a lot of people would live in constant paranoia."
Ms Bhattacharya added that urgent intervention from the federal government was needed.
On Tuesday, Cyber Security Minister Clare O'Neil described latest development in the Medicare data breach as deeply concerning.
"When it comes to the personal health information of Australians, the damage here is potentially irreparable," she told parliament.
"For a cybercriminal to hang this over the heads of Australians is a dog act. It is scum of the Earth, lowest of the low territory."
Public confidence in tatters
Medibank chief executive David Koczkar has apologised and said the attack was "malicious" and "deliberate" and designed to "cause maximum harm and damage" to his customers.
He also said Medibank was required to hold onto past customers' data under law, which was why former clients could be caught out by this breach.
And that is making former Medibank customer Erika Katalbas increasingly nervous.
She switched her health provider about a year ago.
Ms Katalbas said she was a victim of the Optus hack and was surprised how soon the Medibank breach happened after that.
"It's giving me anxiety because as a former international student and a current temporary resident, I'm already at a vulnerable situation where I’m in a different country, I don't have the same rights and protections as citizens," Ms Katalbas, who is originally from the Philippines, told the ABC.
"I worry for what my data will be used for. I have a lot of unanswered questions and have no clarity on the specific and possible implications to my data.
"I have no idea as well about whether these companies will be held accountable in the occasion that my data is misused."
So far, Medibank has yet to determine the full extent of the customer data that has been stolen, but has offered a support package to affected customers, including financial and mental health support.
It said it would defer premium increases for Medibank and ahm customers which were scheduled to rise on November 1, 2022, now to occur on January 16, 2023.
Cyber security experts like Sanjay Jha say this breach is even worse than the one that hit Optus, given the medical information involved.
Professor Jha, who is from UNSW Institute for Cybersecurity, said the Medibank incident was a "wake-up call" that every Australian was at risk of data breaches.
"It is very disturbing. It has brought the public confidence to the lowest level we may have seen in years," he said.
"I think businesses are collecting too much information for what they need.
"We saw the government proposing to increase the penalties to $50 million and there will be a requirement for companies to do their risk assessment and install processes to protect users and their businesses."
All Medibank and ahm customers have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.
Medibank said its customers could also speak to experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).