The Medibank cyber incident has taken a turn for the worse, as a new update revealed the alleged hacker had access to the data of at least four million customers – and the health insurer did not have cyber insurance.

Unhappy investors have shown their distaste for the affair, wiping $1.6 billion off the value of Medibank.

Medibank initially reported no evidence of customer data having been removed from its network, but with further updates released over the past two weeks it gradually found more and more customer data had been impacted.

Now, Medibank says the criminal behind the attack had access to the data of all ahm customers, all international student customers, and all Medibank customers.

Among other details impacted by this incident, such as names, addresses, phone numbers, and Medicare numbers, samples of stolen data also contained highly sensitive health claims data.

"Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data," said Medibank CEO David Koczkar.

Medibank said the health claims data impacted thus far included information about diagnosis, procedures and location where medical services were received.

"We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data," said Medibank.

"As a result, we expect that the number of affected customers could grow substantially," it added.

While Medibank has confirmed the alleged hacker had an alarming level of access, it is yet to determine the full extent of data actually stolen, or how they actually got in.

"Our priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know," it said.

Given the significant risk of identity theft prompted by the Medibank and Optus hacks, Medibank is offering services to help cover the costs of replacing impacted ID documents.

Impacted customers are urged to make use of Medibank's dedicated cyber crime customer support package, which includes free identity monitoring services for customers who have had their primary ID compromised, and also offers reimbursement of fees for re-issue of identity documents.

Former customers caught up in breach

What we do know is this – the hack impacts around 4 million existing customers, as well as an undetermined number of former customers, too.

According to Medibank, it is required by law to retain health information for a period of seven years for adults, and up to 25 years for children, meaning former customers of the health insurer may also find themselves at risk from this breach.

Former customers have voiced complaints online for being caught up in the attack, as have international students, for whom it is compulsory to purchase overseas student health cover (OSHC) in order to meet visa conditions.

"As we’ve continued to say, we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially," said Koczkar.

Medibank says that to date, its IT systems have not been encrypted by ransomware.

Cyber insurance ignored, shares plummet

After a week-long trading halt, Medibank's share price dropped 18.1 per cent on Wednesday afternoon.

The shares now sit at $2.87, its lowest level since April 2021, and Medibank's market value has sunk a whopping $1.6 billion.

It was also revealed in its last update that Medibank, the major health insurer, does not have cyber insurance.

"Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23," said Medibank.

Medibank CFO Mark Rogers offered insight into this revelation, citing high costs and limited benefits as the company's reasons for remaining uninsured.

"Costs went up significantly over the last couple of years,” he explained.

"So notwithstanding the fact we didn’t have cyber insurance, I wouldn’t have expected had we, based on the policies we saw over the last couple of years, that the majority of costs that we are currently calling out (on the $25 to $35 million) wouldn’t have even been covered,” he added.

Strong words in Parliament

In an update given in Parliament on 25 October, Cyber Security Minister Clare O'Neil called back to the Optus data breach which reportedly exposed 9.8 million customer records.

"Combined with Optus, this [Medibank breach] is an enormous wake-up call for the country," she said.

"Cybercriminals are the thugs of the 21st century – the bag snatchers and the armed robbers," she added.

O'Neil also pointed out the significance of the type of data at risk in the Medibank attack – highlighting the sensitive nature of health information.

"When it comes to the personal health information of Australians, the damage here is potentially irreparable.

"Australians who are struggling with mental health conditions, drug and alcohol addiction or diseases that carry some shame or embarrassment are entitled to keep that information private and confidential.

"For a cybercriminal to hang this over the heads of Australians is a dog act, it is scum of the earth, lowest of the low territory."

The attack also raises a range of data privacy concerns surrounding how long companies should hold data, and what expected penalties should be in the event of a serious breach.

Medibank continues to work with government stakeholders and the Australian Federal Police, who are leading a criminal investigation into the matter.