Health insurer Medibank is refusing to share the findings of a long-awaited review into the cyber attack which exposed personal data and health information of nearly 10 million customers.

In November last year, after hackers began to leak stolen customer data to the dark web, Medibank announced it had commissioned major auditing firm Deloitte to conduct an external review into its colossal 2022 ransomware breach.

At the time, Medibank chair Mike Wilkins said the health insurer would openly “share the key outcomes of the review, where appropriate”, and that Medibank would share learnings where safe to help guide and protect Australian businesses from similar data loss events.

Now, in an announcement to the Australian stock exchange, the company confirmed it has received the review findings and a series of recommendations from Deloitte, but omitted to outline exactly what the recommendations involve.

"Deloitte has been conducting an external incident review into the circumstances surrounding the cybercrime event," said Medibank.

"Deloitte has made recommendations to enhance Medibank’s IT processes and systems.

"A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken," it added.

Medibank said it plans to implement all recommendations not already actioned, but was notably silent regarding the precise nature of the recommendations and the review at large.

Not telling

Later, a spokesperson reportedly confirmed to the company will not be making the findings of the review public in consideration of confidentiality and security concerns.

"The Deloitte incident review includes confidential and sensitive information about the cyber security measures that Medibank has in place to protect customers and other data from malicious cyberattacks," the spokesperson said.

"We don't think it's in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses.

"We will continue to share lessons from the cybercrime with other Australian businesses, where we can," they added.

After Medibank suffered its cyber incident in October 2022, the company initially reported no evidence of customer data being explicitly removed from its networks.

As details gradually surfaced, many customers voiced worry and frustration over the potential risk to their data and health information.

It was later found 9.7 million former and current customers were impacted by the data theft, and nearly half a million victims had their sensitive health claims data leaked to the dark web.

Where’s the trust?

The attack is widely considered one of the largest cyber security events in Australian history, and many have turned to Medibank's handling of the attack as a precedent and valuable source of information for future security incidents – including the findings of Deloitte's review.

"Based on experience, the reality is even organisations with highly mature and well-resourced security programmes will have numerous finding from these types of audits that would be considered ‘embarrassing’," said Mark Culhane, director at Australian tech consultancy Zoak Solutions.

"It does seem that Medibank Private is missing out on an opportunity to rebuild trust."

Medibank has also drawn criticism in its handling of the review by way of comparison to Optus, which similarly experienced a landmark data breach in 2022 but has contrastingly received praise for demonstrating transparency in the wake of its respective hack.

"Looking at other examples of large organisation who also experienced breaches, publication of transparent and frank analysis, learnings and mitigations applied does appear to be the best method of moving forward," said Culhane.

"Whilst immediately publishing all findings of the Deloitte report may not be the best route – controlled publications from Medicare Private providing their customers and the public with visibility of the competence and rigour of remediation activities is likely going to lead to better outcomes for the business," said Culhane.

"At the end of the day, Medibank is a business, operating in a competitive marketplace. Whilst we can criticise and provide opinions on what Medibank should do – we as consumers need to vote with our wallets."

Medibank currently faces two class action lawsuits over the cyber attack, one from investors and the other from victims, and the company remains under investigation by the Office of the Australian Information Commissioner.