South Australians who used an at-home medical care service have been swept up in Medibank's recent data breach, as the health insurer reports even more data was accessed in the attack.
After recently revealing all ahm, international student, and Medibank customer data had been exposed during the cyber incident, health insurer Medibank has now revealed patient information relating to South Australian service My Home Hospital was also accessed.
My Home Hospital is a service jointly run by Medibank and not-for-profit healthcare organisation Calvary on behalf of the state government.
Patients who used the service for at-home care may now face significant privacy complications, as the South Australian government agency Wellbeing SA said about 4,400 patients had both their personal and medical information accessed in Medibank's recent data breach.
"It has become clear that the criminal has accessed patient information relating to My Home Hospital," said Medibank.
"The data accessed includes personal information and some health data," it added.
Wellbeing SA chief executive Lyn Dean told ABC that Medibank had initially advised the My Home Hospital program was not caught up in the data breach.
On 26 October, however, Wellbeing SA was notified that both personal information and medical records of My Home Hospital patients had been accessed.
"My Home Hospital patients are the only SA Health patients aligned with Medibank and, therefore, the only ones who could have been affected," said Dean.
Dean said personal information such as names, addresses, date of birth and the reason for admission were accessed.
"My Home Hospital patients who accessed the service for the first time on or after October 13 are not impacted by the breach," said Dean.
My Home Hospital is a relatively new service, having been launched in January 2021 to help reduce ambulance ramping and overcrowding at hospitals.
Dean also emphasised medical records had not been explicitly breached.
"The data has been accessed, but [Medicare] does not know whether at this point the data has been stolen," Dean said on Friday morning.
Has the data been leaked?
Despite nearly three weeks having passed since the initial attack was reported by Medibank, the full extent of stolen data is still unclear.
Medibank's recent updates have revealed the alleged criminal potentially "had access" to the data of at least 4 million Medibank customers across Australia, as well as this new subset of data from My Home Hospital patients, but the health insurer is yet to report evidence of data having actually left its systems.
While the alleged criminal behind the attack has reportedly provided Medibank with small samples of stolen data, the precise amount of data actually removed from the health insurers' systems is yet unknown.
"While Medibank has not yet determined if the data has been illegally taken from our system, we know it has been accessed," said Medibank.
Medibank released a further update on October 28, providing insight to the meaning of the word 'access' related to its unfolding cyber incident.
"We appreciate how important it is for you to understand what 'access' means," said Medibank CEO, David Koczkar.
"In this case, it means the data was either viewed, or the folder where the data is stored was viewed, by the criminal," he explained.
Medibank's cybercrime event is subject to ongoing criminal investigation by the Australian Federal Police, and further updates are being released as events unfold.
Government activates the National Coordination Mechanism
More recently, the Federal Government activated the National Coordination Mechanism (NCM) in response to the Medibank attack.
The NCM is a response tool used to bring together representatives of both government and non-government organisations to coordinate, communicate and collaborate during responses to crises.
In an update given to Parliament, Cyber Security Minister Clare O'Neil said the NCM was “set up by the former government as a crisis response mechanism to deal with the most difficult and complex aspects of managing the pandemic”.
"We are picking up that model. What we can see is that Medibank is just as complex and just as urgent as some of what we dealt with there."
As investigations and government cooperation continues, Medibank has begun contacting affected patients directly.
Medibank also urges customers to be alert for phishing scams, and to verify any communications they receive to ensure they are legitimate.
"We unreservedly apologise to our patients who have been the victims of this very serious crime," said Medibank.