After downplaying the severity of a cyber incident last week, health insurer Medibank revealed it has received contact from a group wishing to negotiate over allegedly stolen customer data.

In a statement this afternoon, Medibank says the hacker claims to have 200GB of stolen personal data, of which the details of 100 policies were shown to the company.

Medibank believes these have come from its ahm and international student systems.

Details include full names, addresses, date of brth, Medicare number, phone numbers, policy numbers, and claims data for procedures.

This incident is now being investigate by the Australian Federal Police (AFP).

Over the past week, Medibank has provided prompt and consistent updates regarding incident, and initial investigations suggested there may have been little to no damage.

It was yesteday when Medibank reported a group made contact via a series of messages wishing to "negotiate with the company regarding their alleged removal of customer data."

In a statement, the company said this is “a new development and Medibank understands this news will cause concerns for customers and the protection of their data remains our priority."

Previous reporting from Medibank indicated unusual activity on its network was consistent with precursors to a ransomware event – meaning the hacker may now be attempting to negotiate a ransom in exchange for breached data.

"Medibank is working urgently to establish if the claim is true," said Medibank. "Based on our ongoing forensic investigation we are treating the matter seriously at this time.”

The company forewarned its efforts to safeguard its networks and systems "may cause necessary temporary disruptions" to its services.

Stolen data

At least 3.7 million people are covered by Medibank as of 2021, and the full extent of potentially exposed customer information is currently unknown.

"As a health company providing health insurance and health services, Medibank holds a range of necessary personal information of customers," said Medibank.

The email Medibank sent to customers. Photo: Medibank

Medibank had previously reassured its customers their personal data remained safe during the incident.

The Sydney Morning Herald, which claims to have obtained the message sent to Medibank, said the apparent hacker group has threatened to sell confidential customer information, such as credit card information and sensitive health conditions, unless a ransom is paid.

The obtained message allegedly read:

"We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

Medibank stated its "systems have not been encrypted by ransomware", and usual customer activities can continue for the time being.

As for the legitimacy of the claim made by this group, and the potential ransom or data leaks that may surface as a result, Medibank continues to investigate.

"Investigations are ongoing and Medibank will continue to provide regular updates," it said.

Medibank halts trading

Medibank announced on Wednesday that it entered a trading halt on the Australian Stock Exchange, marking the second time in a week the insurance provider has stopped trading.

"Medibank has entered into a trading halt, to ensure that it meets its continuous disclosure obligations. The trading halt will continue until further notice," said Medibank.

After its initial trading halt, Medibank shares resumed trading down nearly three per cent – a significant trading dip which may be attributable to this cyber incident.

As for its next steps, Medibank is continuing to work with specialised cyber security firms and has advised the Australian Cyber Security Centre of recent developments.

"Our team has been working around the clock since we first discovered the unusual activity on our systems, and we will not stop doing that now," said Medibank CEO David Koczkar.

This incident is unfolding just a few weeks after Optus' recent landmark data breach which exposed at least 2.1 million personal identification numbers – continuing the trend of major cyber attacks against large Australian companies.

Minister for Home Affairs Clare O'Neil said, "Medibank is cooperating with government in responding to this incident. Significant support has been provided by the Australian Signals Directorate’s Australian Cyber Security Centre, and the Department of Home Affairs.

"This incident is another reminder for Australian governments, businesses and citizens to be vigilant about their cyber safety," she added.

In an interview with ABC radio, O'Neil conceded this is the “new world that we live in” and subsequently “we are going to be under relentless cyberattack essentially from here on in."