9.7 Million Medibank Customers Have Had Their Data Breached, But No Ransom Will Be Paid

Last month, Medibank went public with news that it suffered a cyber incident. Turns out it was a lot worse than Medibank first thought and, with the data on 9.7 million customers now caught up in the massive breach.

The private health insurer told shareholders on October 12 it had fallen victim to a ‘cyber incident’. It said that in response to this incident, the organisation took immediate steps to contain it, and engaged specialised cybersecurity firms.

At the time, Medibank said there was no evidence that any sensitive data, including customer data, has been accessed in the cyber attack.

On October 17, it reaffirmed that after ongoing investigations, there was still no evidence customer data had been removed from its IT environment. It also emerged that Medibank was the victim of a ransomware extortion attempt, with the word ‘ransom’ hidden within the organisation’s messaging. But on October 19, things had taken an Optus-like turn.

In a statement issued via the ASX on October 19, Medibank said it has received messages from a group that “wishes to negotiate with the company regarding their alleged removal of customer data”. This negotiation was the hackers threatening to release the private medical information of high-profile Australians if a ransom isn’t paid.

On October 20, Medibank said the Australian Federal Police was investigating the incident as a crime as data on its customers was confirmed breached. Then, on October 26, Medibank confirmed every one of its customers had their data breached – the private health insurer has 3.9 million customers (not including its brands).

However, today, November 7, Medibank divulged just how bad things actually are.

“Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal,” it said.

In a statement issued to the ASX, Medibank said it believes the criminal has accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.

It believes the criminal also accessed Medicare numbers (but not expiry dates) for ahm customers, passport numbers (but not expiry dates) and visa details for international student customers and accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.

Health provider details, including names, provider numbers and addresses, are among the data accessed in the breach, Medibank said.

Despite this, Medibank said the criminal did not access primary identity documents, such as driver’s licences, for Medibank and ahm resident customers. Credit card and banking details are also apparently safe.

Regarding this whole ransom thing, however, Medibank said it’s not paying.

“No ransom payment will be made to the criminal responsible for this data theft,” the statement reads.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Medibank CEO David Koczkar added.

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme, but in the meantime, Medibank said it has “a comprehensive support package” for customers who have had their data stolen. This includes financial support for customers who are in a uniquely vulnerable position as a result of this crime (they will be supported on an individual basis), free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.

Medibank is also offering all customers access to identity protection advice and resources from IDCARE and Medibank’s mental health and wellbeing support line. You can reach out if you’re concerned about the cyber attack or need to do Medibank-related things, by calling 13 23 31 or visiting Medibank’s dedicated webpage.

This article has been updated since it was first published.