Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M

Australian health insurer Medibank on Wednesday confirmed that the personal and health information of all customers has been compromised in a recent data breach.

Identified on October 12 and consistent with the precursor of a ransomware attack – albeit no ransomware has been deployed on Medibank’s systems – the incident has resulted in a threat actor exfiltrating roughly 200 gigabytes of data.

Last week, the hackers contacted Medibank to boast about the data theft, threatening to target the company’s 1,000 most famous customers unless a ransom was paid.

Medibank launched an investigation into the incident immediately after identifying it, but has not provided specific details on the number of impacted customers until now.

Today, however, the health insurer confirmed that all its 3.9 million customers have been impacted by the data breach.

In a Wednesday update to its cyber incident notification, Medibank said the attacker had access to the personal information and health claims data of all ahm customers, international student customers, and Medibank customers.

“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” Medibank CEO David Koczkar said.

Medibank also noted that it has yet to understand the exact data that was stolen for each of its customers.

Last week, however, the company said that information such as full names, addresses, phone numbers, birth dates, Medicare and policy numbers, and health claims data such as diagnosis and procedure codes was compromised, and that the attackers claimed to have stolen credit card security data as well.

The company says it is offering financial support to ‘uniquely vulnerable’ customers, on an individual basis, and free identity monitoring services for customers with compromised primary IDs, in addition to reimbursing the fees for reissued identity documents.

By law, the company is required to store specific customer data for seven years, and former Medibank customers might be impacted as well.

“We expect that the number of affected customers could grow substantially,” the company notes.

On October 26, Medibank also said that it expects a financial impact of at least $25 to $35 million from the incident, due to its lack of cyberinsurance, aside from “customer and other remediation, regulatory or litigation related costs”.

Over the weekend, Australia proposed tougher penalties for all organizations that fail to properly protect customer data.

The company said during a press conference that the attackers accessed its systems using compromised credentials obtained from a hacker on a Russian cybercriminal forum. Medibank also said it has strengthened its cybersecurity stance and that the hackers have been eliminated from its network.

Related: Medibank Confirms Broader Cyberattack Impact After Hackers Threaten to Target Celebs

Related: Data Breach at Australian Telecoms Firm Optus Could Impact Up to 10 Million Customers

Related: Australia Flags New Corporate Penalties for Privacy Breaches