More than 3.7 million Medibank customers are anxiously waiting to learn if their personal medical information has been stolen by hackers after the health insurer admitted to a data breach on Thursday.
Authorities are scrambling to investigate the second major hack of an Australian corporation in as many months after Medibank received a ransom note claiming to have taken 200 gigabytes of customer data.
The stolen data includes Medicare numbers, names, addresses, dates of birth, phone numbers and “some claims data”, the company said, adding that it has begun contacting customers affected by the breach.
Hackers also claim to have taken credit card security information, but Medibank said it hasn’t been able to verify that yet.
Cyber Security Minister Clare O’Neil said on Thursday that the theft of personal medical information, including data about procedures and diagnoses of health conditions was a “dog act”.
“Financial crime is terrible, but ultimately a credit card can be replaced,” Ms O’Neil said.
“The threat that is being made here to make the private personal health information of Australians available to the public is a dog act.”
Medibank said it was co-operating with authorities as they investigate.
“I unreservedly apologise for this crime,” Medibank boss David Koczkar said. “I know that many will be disappointed with Medibank.”
What we know about the Medibank hack
Medibank admitted on Thursday that its systems were hacked after suggesting it was investigating “claims” of a cyber attack on Wednesday.
The Medibank cyber attack is understood to have occurred last week.
The hackers claim to have taken 200GB worth of data and have sent a sample of the information to Medibank, including records for 100 of its policies – namely for its AHM and international student product offerings.
Medibank said this sample includes information on insurance claims and a raft of other personal data, including names and phone numbers.
“The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” the company stated on Thursday.
The Australian Federal Police in conjunction with the Australian Signals Directorate and the Australian Cyber Security Centre are investigating.
Medibank, a publicly listed company, has halted trading in its shares.
What we don’t know about the Medibank hack
Medibank emailed customers on Thursday morning about the attack, but an email seen by The New Daily failed to alert customers about what personal data of theirs had been stolen by the hackers.
The company has also not publicly disclosed how many of its more than 3.7 million customers have been affected by the breach.
We don’t know if the Medicare information stolen by the hackers was current or expired, or whether financial information was taken too.
Additionally, neither Medibank or other government authorities have disclosed how the hack occurred or whether the criminals are likely to be independent or state-sponsored attackers.