Medibank, Australia’s largest private health insurance provider, has confirmed that last week’s “cyber incident” has resulted in a data breach.
“Medibank has been contacted by a criminal claiming to have stolen 200GB of data,” the company said. “The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.”
The extent of the Medibank data breach
The attack on Medibank was spotted on October 12, when they detected unusual activity on the company network. Medibank Group took action: they engaged cyber security firms and began “isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.”
On Monday (October 17), the company said that it has “contained the ransomware threat” and that its systems were not encrypted by ransomware. On Wednesday (October 19), it confirmed the attackers got in touch with claims they have stolen data from the company’s systems.
On Thursday (October 20), Medibank shared that the sample records the attackers provided as evidence of their claim turned out to be valid.
“That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures,” they noted.
“The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.”
While the company has begun contacting affected customers, they did not say how many were affected. “We expect the number of affected customers to grow as the incident continues,” they pointed out.
Medibank has nearly 4 million customers, but it’s possible that the data of former customers has also been compromised.
The company said the attackers got in by compromising user credentials, but details are still fuzzy.
Next steps for affected customers
According to The Sydney Morning Herald, the attackers are threatening to contact 1000 of Medibank’s most prominent customers with their personal information/diagnoses, before ultimately selling the entirety of the stolen data to third parties.
“This cybercrime is now the subject of an investigation by the Australian Federal Police,” Medibank CEO David Koczkar has said, and added that they plan to share technical information with peers across the industry to help them “to bolster their own defences.”
Medibank is getting help in the investigation from private cybersecurity companies, as well as the Australian Signals Directorate (the country’s cybersecurity agency) and the Australian Cyber Security Centre (ACSC).
Clare O’Neil, the Australian Minister for Home Affairs and Minister for Cyber Security, noted that the thing to worry about here is the release of customers’ health information.
“Financial crime is a terrible thing, but, ultimately, a credit card can be replaced. The threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act, and that is why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens,” she said during a press conference on Thursday.
“Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly,” the company said.
In the meantime, they have warned customers about potential phishing attempts fueled by the stolen data. The ACSC has also provided advice for affected customers, to minimize the fallout of their data getting compromised.
UPDATE (October 25, 2022, 07:40 a.m. ET):
As expected, the scope of the data breach is widening.