Australian health insurance giant Medibank has revealed the hack of customer records has affected more customers than first thought, with the CEO saying the company is acting on the assumption all customers are affected.
Earlier this month Medibank said it believed that only customers of its subsidiary ahm and those who were international students might have been affected by the hack of its systems. But now the company has said it has received files from the hackers that include main brand customers – widening the range of those potentially affected to 3.9 million.
Medibank described the revelation as a “distressing development” and apologised to customers.
“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me,” the Medibank CEO, David Koczkar, said.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.”
He later told the ABC the company was proceeding as though all its customers could have had data stolen.
“Given the unfolding nature of the cybercrime and the complexity of the data, I’m operating under the assumption that there is a potential that all customers could be impacted,” he said.
In a statement to the ASX, the company said it had received a further series of files from the alleged hacker, who previously said they had obtained 200GB worth of data.
Medibank found the files included the 100 ahm policy records received last week, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data.
The records provided to the company last week included names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.
Medibank said it is too soon to determine the full extent of the customer data that has been stolen and the total number of customers who were affected.
A spokesperson for Medibank confirmed that former customers of the insurer are likely caught up in the hack, and have said state health record laws require the company to keep health information for seven years.
Medibank has offered mental health and wellbeing support for customers, and access to specialist identity protection advice with IDCare. The company is also deferring premium increases for Medibank and ahm customers until 16 January 2023.
Current and former customers will be contacted with advice on what to do, and those customers whose data has been confirmed to be compromised will be contacted separately.
Guardian Australia reported on Monday that a view is forming within Medibank that the breach occurred through the theft of the credentials of a person with high-level access within the company, that was then sold on a Russian cybercriminal forum to another hacker.
It is believed that hacker then installed two back doors into Medibank’s systems using the credentials and installed specialised software to extract customer data.
Medibank has confirmed it is in communication with the hacker, but declined to comment when asked whether it would pay any demands made for handing over the data.
The Australian federal police is continuing its investigation.
