Medibank has revealed that the cyber attack on its customers' data is much wider than originally thought in a "distressing development" that could impact millions of Australians.
Up to four million current Medibank customers may have had their data stolen, plus the healthcare provider has also confirmed that sensitive information linked to past customers is also wrapped up in the saga.
In a distressing revelation, ABC News has also confirmed that the personal information of children linked to their parents' healthcare accounts may have be impacted too.
"This is a malicious attack by a criminal," Medibank chief executive David Koczkar told ABC News.
"It is deliberate. And it is designed to cause maximum harm and damage to our customers."
The healthcare provider first reported "unusual activity" had been detected on its network on October 12.
Since then, it had said the data breach was confined to its budget insurance company sub-brand ahm, and data collected about international students studying in Australia who use Medibank under its OSHC service.
On Tuesday morning, Medibank confirmed that data from its main brand was also now believed to have been compromised.
"This is a distressing development and Medibank unreservedly apologises to our customers," the company said in a statement this morning.
Mr Koczkar told ABC News that a criminal entity first sent Medibank samples of data it has allegedly accessed last week, and then sent a second lot of data to it over the weekend.
The company said it had come to the conclusion that the main brand Medibank data was also included after going over the latest data set.
So far, only 1,000 data sets have been sent to Medibank.
The company still does not know how many customers are actually impacted.
The company has been emailing many customers about the data breach, which has been confusing some people about whether they are actually confirmed to have had their data stolen.
"I am operating under the assumption that all customers could have been impacted," Mr Koczkar said.
"At the moment, we know with ahm, they've accessed personal information, which includes name, address, phone number, Medicare card number, record of hospital procedures, including diagnosis codes, and procedure codes."
"All health information is sensitive, personal information is sensitive."
He confirmed that Medibank was required to hold onto past customers' data under law, which is why former clients could be caught out by this breach.
Data theft is concerning because it could lead to financial crime against a person by using their identity.
The Medibank hack follows another high-profile attack on Optus.
Cyber Security Minister Clare O'Neil described the development as deeply concerning.
"One of the reasons why the government is so worried about this is because of the nature of the data that's been held here," she told parliament.
"In a lot of cyber attacks, our big fears are around identity theft and financial crime and those are very difficult, complex and important cases but ultimately something can usually be done to protect consumers.
"When it comes to the personal health information of Australians, the damage here is potentially irreparable.
"For a cybercriminal to hang this over the heads of Australians is a dog act. It is scum of the earth, lowest of the low territory."
The government has also announced it has activated a crisis response model to support Australians affected by the Medibank cyber hack, bringing together agencies and stakeholders across the states and commonwealth.
Ms O'Neil said the National Coordination Mechanism was initially developed to manage specific challenges of the COVID pandemic, but would now be used to help deliver a coordinated response to the breach.
"This is an enormous wake-up call for the country," she said.
"Cyber criminals are the thugs of the 21st century, the bag snatchers and the armed robbers. We need to do more as a country to step up but in the meantime this government is doing everything it can to protect Australians against this breach."
Cyber attack started after 'sensitive login details' breached
Medibank has been working with the Australian Federal Police and other cybersecurity authorities on the criminal investigations.
Mr Koczkar told ABC News that an entity has accessed sensitive login details to its systems.
"What we know is the criminals did steal a username and password from someone with high level access to our system," he said.
"They then personated this individual and that's how they got into the systems.
"The rest of the details, you'd appreciate are part of our ongoing analysis, which can't say any more this time because we're not completed."
All Medibank and ahm customers have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.
Medibank said its customers can also speak to experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).
Medibank has also deferred increases to its premiums until next year due to the cyber attack.