One of Australia's largest private health insurance providers has suffered a major cyber security incident.

Medibank, which covers 3.7 million people as of 2021, reported unusual activity on its network on 13 October and immediately engaged a specialised cyber security firm, as well as an investigation into whether any sensitive data, such as customer records, had been illegitimately accessed.

The company also took down access to customer systems in an effort to isolate the incident and reduce the chances of system damage and data loss.

Medibank went on to provide regular, detailed updates on the incident via its website, and on 14 October, announced having already sent around 3.7 million informational emails to current and former customers of Medibank and ahm health insurance – the private health insurance company which operates as a member of the Medibank group.

"I apologise and acknowledge that in the current environment this news may make people concerned," said Medibank CEO David Koczkar.

"Our highest priority is resolving this matter as transparently and quickly as possible."

As of 17 October, Medibank has reported there is no evidence of customer data having been removed from its network as a result of the cyber security incident, however, due to the response measures taken by Medibank, users of ahm and international student policy systems were unable to access relevant services between Thursday 13 October and early Friday 14 October.

This disruption to services was an intentional decision by Medibank made in order to mitigate potential damage while the suspicious network activity was investigated.

"This was done out of an abundance of caution, and it enabled Medibank to provide additional protection of customer data on that system," said Medibank.

"We apologise for the disruption this incident caused some of our customers yesterday, but we have made good progress with our systems overnight," said Koczkar on 14 October.

"We took the necessary precautions to protect the data of our customers, people and other stakeholders, and we will continue to do so."

Is it ransomware?

Medibank's apparent cyber security incident is still developing, and the finer details are yet to wholly surface – however, communications from Medibank indicate the aforementioned suspicious network activity was consistent with precursors to a ransomware event.

"Medibank has contained the ransomware threat but remains vigilant and will take necessary steps in the future to protect its operations and its customers’ data," said Medibank.

Given the current trend of big brands suffering major data breaches, attacks of this nature tend to attract scrutiny and customer concern.

Medibank has demonstrated a thorough, fast response to the incident, and has engaged cyber security experts in dealing with the attack, as well as a multitude of relevant government agencies.

"We have spoken with the Australian Cyber Security Centre, APRA, Office of the Australian Information Commissioner, Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs over the course of the day to ensure that our regulators and other key stakeholders are informed."

Medibank has also said it is working in an “open and cooperative manner” with the Australian Cyber Security Centre, the Australian Government's lead agency for cyber security, to “receive information and intelligence' relevant to the incident”.

To date, Medibank's ongoing investigation and management of the incident seem to have revealed no direct proof of ransomware infection or customer data loss.

"Medibank systems were not encrypted by ransomware during this incident and there is no indication that the incident was caused by a state-based threat actor."

What should Medibank customers do?

Medibank has said customers will be kept up-to-date as the situation evolves, and has stressed that Medibank will never make contact in request of passwords or other sensitive information.

While customers are being advised there is nothing they need to do for the time being, they are advised to remain vigilant of any suspicious emails or SMS messages regarding insurance or Medibank services.

As for the impact to Medibank, the potential ransomware attack and subsequent shut down of certain systems could be responsible for a trading dip, as shares resumed trading down nearly three per cent today.

Medibank has assured investors the incident has not disrupted its business momentum, as it continues to liaise with customers and stakeholders via ongoing updates.