Another hack in Australia as four million Medibank customers data exposed

  • Medibank said all the personal data belonging to its customers, its AHM division, and every international-student client were compromised.
  • The hack is likely to cost the company a minimum between $25m and US$35 million.

Last week, Australia’s largest private health insurance company, Medibank, admitted it had as much as 200 gigabytes of data stolen from its servers, including “the location of where a customer received medical services, and codes relating to their diagnosis and procedures”. This week, the company highlighted that the hack has compromised its entire clientele, involving almost four million customers.

The update by Medibank had significantly escalated the cyberattack spell that has been ongoing in Australia lately. In a filing to the Australian Stock Exchange, the company said the investigation into the breach has now established the hacker had access to all Medibank, AHM and international student customers’ personal data, and significant amounts of health claims data. 

The personal information includes name, address, date of birth, some Medicare card numbers and gender. The health information includes the claim codes made by customers. It is fair to note however that Medibank still can’t definitely say how many or which customers are affected beyond the 1,000 records provided to the insurer by the hacker in the past two weeks. So far, it is through this communication with the hacker that Medibank has been able to determine the extent of the breach.

Because state and territory health record laws require the company to keep data for seven years, Medibank confirmed that the breach will also affect former customers. As of June 30, the company had 3.96 million customers. The hack is likely to cost the company a minimum between US$25 million and US$35 million, Medibank said. The large amount is mainly due to Medibank not having cyberattack insurance, and estimated cost does not include customer compensation or regulatory or legal costs that may be brought against the company.

With the extent of the attack still unclear, Medibank withdrew its guidance for policyholder growth this financial year. Separately, Bloomberg Intelligence’s Matt…