‘Really poor form’: Medibank yet to contact hundreds of customers with leaked personal data

Medibank’s chief executive, David Koczkar, told shareholders at the company’s annual general meeting on Wednesday the company was contacting within 48 hours any customers whose health claims data had been posted on the dark web by Russian hackers.

So far hundreds of claims associated with terminating pregnancies, mental health issues, and drug and alcohol use have been posted on a dark web blog linked to the REvil ransomware group.

But hundreds of customers whose personal details – including names, addresses, dates of birth, phone numbers, email addresses and gender – but not medical information, were posted on the site are yet to hear from the insurer individually.

When Chris contacted Medibank to enquire about his situation, he was told the company would be communicating with those who had health claims data posted first.

Koczkar told reporters after the meeting on Wednesday: “We believe that is the right decision. Those customers are uniquely vulnerable. And we want to make sure that they hear that as soon as they can from us. As I said before, this is a complicated process.”

But Chris said he was annoyed about the radio silence.

“They had ample time to prepare the comms and get them out to anyone that had been exposed, and taking over a week to do so is really poor form – and I don’t buy in to the excuses they have given,” he said.

“I think that’s probably a bad call given all of their earlier posturing about being transparent.”

Chris said he was fortunate in not having made any claims other than glasses or dental with the company when he was a customer, so he wasn’t too upset about the leak given the lack of potentially embarrassing health information.

Others weren’t so lucky. While the hackers’ first data dump was limited to a few hundred megabytes and included hundreds of names, addresses, birthdates, Medicare numbers and hospital addresses, the second leak contained a file labelled “abortions”.

“Added one more file Boozy.csv …,” the ransomware group wrote in a blog update on the dark web in the early hours of Friday. The file contained the data of about 240 policyholders who had made claims related to the harmful use of alcohol.

Then, on Sunday night, the hacking group posted a fourth file labelled “psychos”, which contained hundreds of claims from policyholders that appear to be related to mental health treatment.

Chris said he hoped Medibank emerged from the scandal with its reputation intact and the company becomes a case study for other businesses refusing to pay ransoms.

“If that happens, it will be a good outcome for all. However if they reneg on their promise to be open and transparent at the 11th hour, and crash and burn as a result, it will look like their mistake was not paying, and the opposite will happen: this will be a really bad outcome.”

At the AGM, the Medibank board heard from several angry shareholders who were also Medibank customers and complained about the lack of direct communication from the company since the initial announcements.

Koczkar told shareholders that the company would begin directly informing the 480,000 customers who have had their health claim data stolen, though not necessarily posted online.

The breach covers 9.7 million current and former customers, including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.

The insurer said health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures.

There were also 5,200 My Home Hospital patients who had their personal and health data accessed, and 2,900 next of kin of these patients who had some contact details accessed.

The hackers have not posted any new data dumps since Monday, but have promised to drop more on Friday after the AGM.

*Name changed to protect privacy