Medibank customers have been dealt a massive new blow after the company today confirmed that all customer personal data was exposed to cyber criminals along with “significant amounts” of health claims.
The hacking scandal now threatens to eclipse the recent Optus breach, with millions of customers potentially affected.
In the company’s cybercrime, business and FY23 outlook update announced this morning, Medibank revealed that since yesterday, it had discovered that the criminal behind the hack had access to “all ahm customers’ personal data and significant amounts of health claims data, all international student customers’ personal data and significant amounts of health claims data, and all Medibank customers’ personal data and significant amounts of health claims data”.
“As previously advised, we have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” the announcement states.
“As a result, we expect that the number of affected customers could grow substantially.”
Medibank has announced a support package for affected customers which includes a hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of the crime, access to Medibank’s mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for reissue of identity documents that have been fully compromised in this crime.
Medibank confirmed that normal business operations were being maintained, and that it was to working with the AFP, specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.
It stressed that its “priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know”.
The company added that the cybercrime event “continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation related costs”.
Medibank CEO David Koczkar confirmed the investigation “has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data”.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal,” he said.
“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”
Shock over Medibank’s bombshell admission
Meanwhile, attention is turning to one shock admission buried within Medibank’s announcement – the fact it did not have cyber insurance.
“Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs,” the statement revealed.
Australian cybersecurity expert Ajay Unni, the CEO of cyber security services company StickmanCyber, told news.com.au he was shocked by the revelation, and said it indicated the company had likely been blindsided by the hack.
“This means it will come out of the bottom line and there could be a significant profitability issue,” he said, adding Medibank would now have to fork out for the costs of helping victims as well as the costs associated with the breach itself.
“It is quite alarming that they have not seen this as a risk.”
In a call to investors this morning, Medibank CFO Mark Rogers revealed the company didn’t have cyber insurance for three reasons.
“It’s cost, costs went up significantly over the last couple of years,” he explained.
“It’s coverage, so how much cover you can actually get in terms of the total amount of exposure plus the risk share and probably more importantly is the actual ability to make a claim.
“So notwithstanding the fact we didn’t have cyber insurance, I wouldn’t have expected had we, based on the policies we saw over the last couple of years, that the majority of costs that we are currently calling out (on the $25 to $35 million) wouldn’t have even been covered.”
Mr Unni said the Medibank hack was even worse than Optus given the sensitivity of the information that had been compromised.
“Optus had the 100-point identity check information exposed, but Medibank has that plus people’s medical records,” he explained.
“You can replace someone’s passport or driver’s license, but you can’t replace their first and last name, date of birth and medical records – including medical history that some people may not want to be publicly known.
“Now that’s all out there and available for criminals to get their hands on, so it’s way more complex and devastating than Optus.”
Mr Unni said Australia was woefully unprepared for cyber crime, and said while the Optus and Medibank hacks had dominated headlines, breaches were happening all the time.
“It’s not about if you get attacked, it’s when – it’s inevitable,” he said.
“It’s quite concerning because consumers give away our data to companies … and we have to put an end to the mismanagement of data, and put consumers first.”
News.com.au contacted Medibank for comment.
Originally published as Major twist in Medibank hacking scandal as company admits all customer data exposed to crims
Denial of responsibility! Toys Matrix is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@ toysmatrix.com . The content will be deleted within 24 hours.