Medibank has confirmed the criminal entity behind the cyber attack on the company had access to the data of at least 4 million customers, some of which includes health claims.
The private healthcare provider said on Tuesday it had suspicions that was the case, but today confirmed it.
In a statement, the company said its investigation had established all Medibank, ahm and international student customers' personal data had been accessed in the cyber attack.
Significant amounts of health-claims data were also accessed.
But Medibank is yet to determine whether that means the data has been actually stolen.
The company said it expected the number of affected customers to grow substantially as the investigation continued.
The hack impacts about 4 million current customers along with an unknown number of former customers too.
Medibank said it was required by law to hold onto past customers' data, which was why former clients could be caught out by this breach.
Laws, such as Health Records and Information Privacy Act 2002 (NSW), Health Records Act 2001 (VIC) and Health Records (Privacy and Access) Act 1997 (ACT), require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.
Many current and former customers, including international student customers, have told the ABC they are concerned about safety issues, their parents overseas, and being targeted by scammers.
It is compulsory for all international students to purchase overseas student health cover (OSHC) to meet their visa conditions.
Medibank has initiated a dedicated cybercrime customer support package to respond to the breach and is urging anyone that has been affected to contact them.
Calls for legislation to protect data
Cybersecurity experts say the Medibank breach is even worse than the one that hit Optus, given the medical information involved.
Richard Buckland from the University of New South Wales told ABC News the hackers might now be in possession of very sensitive information.
"Even more worrying is the danger of extortion that our people's medical records — often containing sensitive information that is quite personal and would cause a lot of stress to some people to have revealed — that information now is possibly all going to be publicly revealed," Professor Buckland said.
"[There is] a lot of pressure, I imagine, on Medibank to contemplate actually paying the ransom."
He said Australians could not trust anyone to look after data safely, and legislation was needed to protect people's information from large-scale hacks.
"It'd be lovely to see some legislation preventing people from collecting the data and forcing anyone that has collected data to delete it," he said.
"That would go a long way to protecting us.
"Unfortunately, at the moment everyone aggregates the data and it's very attractive to attackers to go for aggregated data."