Medibank says it will not pay ransom demands made by the criminal who stole the personal data of millions of its customers.
Medibank CEO David Koczkar said giving in to the demands would do little to ensure customers’ data was not publicised.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said in a statement on Monday morning.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
Monday’s announcement came in a statement to the ASX.
The October hack has also grown further, with the company revealing that extensive personal details of nearly 10 million current and former customers were accessed. That number has more than doubled since Medibank’s last update on the cyber attack, when it said it thought about 4 million accounts were affected.
It said 5.1 million of those affected were Medibank customers, 2.8 were with its budget arm ahm, and 1.8 million were international customers.
The health insurer, which is Australia’s largest, said its stance on refusing to pay any ransom was consistent with the federal government’s position.
Medibank again urged customers to remain vigilant. Mr Koczkar said the company took its responsibility to safeguard customers “very seriously”.
“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” he said.
Medibank determines what was stolen
Medibank has also revealed more details about exactly what data has been compromised in the hack.
The stolen data includes the names, dates of birth, addresses, phone numbers and email addresses of around 9.7 million current and former customers. AHM customers also had their Medicare numbers accessed, but not expiry dates.
Likewise, passport numbers were also accessed, though expiry dates were not, along with visa details for international students and customers.
Tweet from @medibank
The health data for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers was accessed.
“This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered,” Medibank said.
“Additionally, around 5200 My Home Hospital patients have had some personal and health claims data accessed, and around 2900 next of kin of these patients have had some contact details accessed.”
My Home Hospital is a South Australian healthcare program that allows some patients to be treated in their homes.
Medibank said the hacker had accessed names, provider numbers and addresses of health providers.
However, no primary identity documents – such as drivers’ licences – have been accessed for any customers. Medibank does not usually collect primary identity documents.
Health claims data for additional services such as dental, physio and psychology were also spared, as were credit card and banking details.
Help for affected customers
Mr Koczkar said Medibank’s cyber response support program would continue for all affected customers.
It offers mental health and wellbeing support, identity protection and financial hardship measures.
The insurer continues to work with the federal government, the Australian Cyber Security Centre and the Australian Federal Police.