Health insurance company Medibank, which has four million customers, is the latest Australian organisation to be hit with a cyberattack in recent months. The criminals claim to have stolen 200GB of data from the company’s systems.
Medibank has confirmed that data obtained by unknown hackers contains highly personal information from its clients including first and surnames, policy numbers and claims data consisting of “location of where a customer received medical services and codes relating to their diagnosis and procedures”. The company has not commented on how the criminals gained access to such sensitive information.
The private health insurer confirmed last Thursday that it had suffered a cyberattack and was investigating the consequences, and an update today confirmed that the data had been accessed. In the aftermath of the attack, the company said it had temporarily blocked and isolated access to AHM, one of the insurance brands the company runs, as well as international student policies.
Medibank is working with the Australian Cybersecurity Centre, the Federal Police, cybersecurity firms and government stakeholders in an ongoing investigation. The company has not yet replied to a request for comment from Tech Monitor, or confirmed if a ransom demand has been received.
According to its most recent update, the company has been contacted by cybercriminals who claim to have stolen 200GB of data from its systems. They have provided a sample of records for 100 policies, which, “we believe has come from our AHM and international student systems,” Medibank says.
“This claims data includes the location of where a customer received medical services and codes relating to their diagnosis and procedures,” it continues.
The criminals claim to have stolen other information, including data related to credit card security, but this has not yet been verified by Medibank.
Medibank’s systems were back and running on Friday after they were migrated onto new IT infrastructure, the company has confirmed that its systems were not encrypted. Medibank has placed a trading halt on its shares until further notice.
Medibank CEO David Koczkar said: “I unreservedly apologise for this crime which has been perpetrated against our customers, our people and our broader community. I know that many will be disappointed with Medibank and I acknowledge that disappointment. This cybercrime is now the subject of an investigation by the Australian Federal Police. We will learn from this incident and share our learnings with others. Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we need to.”
This attack comes weeks after the Optus breach, which saw the records of just under ten million customers of the telecoms company being compromised in an attack, which Australia’s minister for cybersecurity Clare O’Neil called a “basic hack”. O’Neil suggested that Australia could change its cybersecurity regulations in the wake of the attack.
Neena Sharma, senior strategist at security vendor Clavister, said: “The data breach suffered by Medibank is worrying, especially following the Optus cyberattack which also hit Australia only a few weeks ago. Highly sensitive personal information was accessed by the hackers, which raises concern about adequate cyber protection. Businesses and industries that hold large amounts of sensitive consumer data, such as health insurers, the transportation sector, and the banking sector, must invest better in safeguarding technologies to prevent hackers from accessing personal information.”