Medibank has admitted that confidential information from every one of it four millions customers has been accessed in its worsening data leak.
In a significant admission on Wednesday, Australia’s largest health insurer said details of all of its customers, and those of budget arm Ahm, had been affected by the breach.
Information access includes personal data and “significant amounts” of health claim information from customers of Medibank, AHM and international students.
“We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” the company said in a statement on Wednesday.
“As a result, we expect that the number of affected customers could grow substantially.”
Medibank had already said on Tuesday that the hack was bigger than it first thought. Wednesday’s announcement is a further significant escalation.
The health insurer has been contacting current and former customers who might have had their personal information stolen in the hack.
On Wednesday, it said the investigation was continuing.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data,” chief executive David Koczkar said on Wednesday.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.”
He again “apologised unreservedly” to the companies’ millions of customers.
“This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” Mr Koczkar said.
Medibank has announced a support package for affected customers that includes:
- Financial support for those who are in a uniquely vulnerable position as a result of this crime
- Access to Medibank’s mental health and wellbeing support line for all customers, including ahm customers
- Access to specialist identity protection advice and resources from IDCARE
- Free identity monitoring services for customers who have had their primary ID compromised
- Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
- Affected customers should contact Medibank Private on 132 331 or AHM on 134 246.
- Affected by the Medibank hack? Here’s what to do now
Tougher fines for cyber crimes
Companies will soon face tougher fines if their customer data is hacked, under new laws introduced to federal parliament.
The laws brought in by the government following the Optus and Medibank data breaches, will increase the penalty for data breaches from $2.2 million to at least $50 million.
Attorney-General Mark Dreyfus said recent breaches had shown the serious impact data hacking had on Australians.
“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this,” he told parliament on Wednesday.
“Setting these penalties at a higher level will accord with the Australian community expectations about the importance of protecting their personal data.”
Under the new laws, companies will be fined whichever is greater of $50 million, 30 per cent of the company’s turnover in the relevant period or three times the value of any benefit gained from the stolen data.
The introduction of the bill was fast tracked following the Optus data breach.
-with AAP