.jpg)
Australia's largest private health insurer has confirmed that the personal medical details of customers using its flagship Medibank brand have been stolen in a recent hack.
The list of potentially affected Medibank customers includes well-known Australians. The stolen data came from current and previous customers and included names, addresses, birth dates, Medicare numbers, contact information, and claims data from private health insurance companies.
Medibank said on Tuesday it had received more details from the hackers. This includes a file of a further 1000 policy records from its budget brand ahm – including personal and health claims data. It said the file also contained some Medibank customer data.
"It is clear that criminals have taken data that now includes data of Medibank customers, in addition to ahm and international student customers," the company said in a statement.
"This is a sad development and Medibank unreservedly apologizes to our customers."
Medibank chief executive David Koczkar apologized once again and said the company continues to work closely with federal government agencies, including the ongoing criminal investigation into the matter.
"This is a malicious attack that has been carried out by criminals with the aim of causing maximum fear and harm, especially to the most vulnerable members of our community," he said.
Medibank said in a recent development it will begin contacting current and former customers to recommend steps they can take.
"We will also start contacting customers whose data we now know has been compromised," the company said.
It urges customers to stay alert to suspicious communications received via email, text or phone calls. The news comes nearly two weeks after the hacking incident, which Medibank initially downplayed when it said on October 14 that there was no evidence that customer data was accessed.
This changed last week when Medibank received a hacker threat - which was also received by The Sydney Morning Herald and The Age. The unidentified group said they would sell the 200 gigabytes of stolen data unless Medibank paid a ransom. It contains threats from hackers to first target 1000 famous Australians with their own data as a warning.
Cyber Security Minister Clare O'Neil said the latest advice from Medibank was very concerning. O'Neil stressed that he had been in constant contact with Medibank, the head of the Australian Signals Directorate, and the Australian Federal Police, since he was first informed of the incident.
"The toughest and smartest people in the Australian government are working directly with Medibank to try to ensure that this horrific criminal act does not turn into an irreparable harm to some Australian citizens," he said.
The shadow secretary for cybersecurity, Senator James Paterson, criticized the government for its slow response to the attack, noting that although the company had denied it, customers' worst fears had now been realized.
"After the slow and confusing response to the Optus cyberattack, Cyber Security Secretary Clare O'Neil took a week to publicly respond to the Medibank hack," he said.
“Miss O'Neil had to explain why she accepted the company's initial denial [that] it was serious, delaying government involvement for a week. Every lost day exacerbates the damage done.”
Medibank has a total customer base of nearly 4 million customers who may be affected by this attack.
Logs obtained by cybersecurity researchers and viewed by The Sydney Morning Herald and The Age show that someone with access to the internal Medibank system had stolen their company login credentials from their web browser. Credentials stolen around August 7th.
Current investigations have confirmed that these details are then sold online to parties who access the Medibank system and copy health records using tools on the platform to collect customer data on a large scale.
Medibank does not believe the hackers were state sponsored, but there are no further details on their origins.
The company's $10 billion stock has been suspended from trading since last week, but will come out of hold on Wednesday morning. Medibank marked it expected to make further announcements before then.