Medibank has reported a "distressing development" regarding its unfolding cyber incident, as "a series of additional files" received from a criminal party have been found to include detailed Medibank customer data.
The health insurance provider first reported "unusual activity" on its network on 13 October – and it was initially believed no customer data had been removed from its systems.
An alleged hacker group then contacted Medibank wishing to negotiate over a set of reportedly stolen customer data, which the insurance provider said was limited to a subset of international students, and to its budget insurance sub-brand, ahm.
Now, further files received "from the criminal" are shown to contain Medibank, ahm and international student customer data.
"Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen," reported Medibank.
"As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds," it added.
So far, Medibank has determined the series of files includes:
● A copy of the file received last week containing 100 ahm policy records – including personal and health claims data
● A file of a further 1,000 ahm policy records – including personal and health claims data
● Files which contain some Medibank and additional ahm and international student customer data
Medibank CEO David Koczkar said he “unreservedly apologises to our customers who have been the victims of this serious crime."
"As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me," he added.
What's next for Medibank
In addition to the landmark Optus data breach, the Medibank attack was already shaping up to be one of the most significant cyber events of the year.
Now that data from its main brand is believed to be compromised, the insurance provider has its work cut out for it.
This cyber crime event is currently subject to criminal investigation by the Australian Federal Police (AFP), for which Medibank is offering ongoing assistance.
In addition to continuing investigations and communicating the unfolding developments of this incident, Medibank is also taking a number of customer-focused measures, including a new "comprehensive customer support package"
Medibank said this will include "24/7 mental health and wellbeing support," support for "customers who are in uniquely vulnerable positions”, and access to specialist identity protection advice with IDCARE, Australia and New Zealand's national identity and cyber support service.
The IDCARE announcement is particularly noteworthy, as it has been a central resource following the Optus breach which exposed at least 2.1 million personal identification numbers.
What should customers do?
For Medibank's nearly 4 million customers, the health insurer warns to remain vigilant of "suspicious communications received via email, text or phone call."
The company said it will never contact customers in request of passwords or sensitive information, and encourages customers to utilise its cyber response hotlines via phone (for ahm customers 13 42 46, and for Medibank customers 13 23 31).
Finally, Medibank said customers can also speak to its experienced and qualified mental health professionals for advice or support around mental health.
"This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community."
New normal?
Cyber Security Minister Clare O'Neil has outwardly lambasted the alleged criminals behind Medibank's data breach, labelling the possible revelation personal health information as a "dog act" against Australians.
Following the recent slew of Australian data breaches, including Optus, Telstra and Medibank, O'Neil warned cyberattacks of this nature would only increase.
"This is the new world that we live in," she said.
"We are going to be under relentless cyberattacks, essentially from here on in," she added.
In an effort to combat the onslaught of cyber crime in recent weeks, the Albanese Government has flagged a new law impacting data breach penalties, as well as expected reforms to the Privacy Act.
Senator James Paterson, who is the now Shadow Minister for Cyber Security, commented on this Medibank development, stating "Despite the company’s initial denials, customers worst fears have now been realised."
He also criticised O'Neil's response to the Medibank breach, saying, "after a slow and confused response to the Optus cyber attack, it is concerning that it took the Cyber Security Minister Clare O’Neil a week to publicly respond to the Medibank hack."
"Ms O’Neil should explain why she accepted the company’s initial denial this was serious, delaying government engagement by a week," he added.
"In a cyber attack, time is of the essence. Early engagement by the government allows the
facts to be established, data theft to potentially be disrupted, and gives customers time to
take any necessary steps to mitigate the consequences of the breach," said Paterson.
"Every day lost worsens the damage done."
Medibank continues to work alongside the AFP in investigating the incident, and has said it will begin contacting current and former customers with recommended steps following the breach.
As for those looking for updates on Medibank trading information, the company stated: "For the avoidance of doubt the voluntary suspension continues until the earlier of a release of a further announcement by Medibank and commencement of normal trading on Wednesday 26 October 2022.”
