Security Experts:

Connect with us

Hi, what are you looking for?



Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M

Australian health insurer Medibank on Wednesday confirmed that the personal and health information of all customers has been compromised in a recent data breach.

Australian health insurer Medibank on Wednesday confirmed that the personal and health information of all customers has been compromised in a recent data breach.

Identified on October 12 and consistent with the precursor of a ransomware attack – albeit no ransomware has been deployed on Medibank’s systems – the incident has resulted in a threat actor exfiltrating roughly 200 gigabytes of data.

Last week, the hackers contacted Medibank to boast about the data theft, threatening to target the company’s 1,000 most famous customers unless a ransom was paid.

Medibank launched an investigation into the incident immediately after identifying it, but has not provided specific details on the number of impacted customers until now.

Today, however, the health insurer confirmed that all its 3.9 million customers have been impacted by the data breach.

In a Wednesday update to its cyber incident notification, Medibank said the attacker had access to the personal information and health claims data of all ahm customers, international student customers, and Medibank customers.

“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” Medibank CEO David Koczkar said.

Medibank also noted that it has yet to understand the exact data that was stolen for each of its customers.

Last week, however, the company said that information such as full names, addresses, phone numbers, birth dates, Medicare and policy numbers, and health claims data such as diagnosis and procedure codes was compromised, and that the attackers claimed to have stolen credit card security data as well.

The company says it is offering financial support to ‘uniquely vulnerable’ customers, on an individual basis, and free identity monitoring services for customers with compromised primary IDs, in addition to reimbursing the fees for reissued identity documents.

By law, the company is required to store specific customer data for seven years, and former Medibank customers might be impacted as well.

“We expect that the number of affected customers could grow substantially,” the company notes.

On October 26, Medibank also said that it expects a financial impact of at least $25 to $35 million from the incident, due to its lack of cyberinsurance, aside from “customer and other remediation, regulatory or litigation related costs”.

Over the weekend, Australia proposed tougher penalties for all organizations that fail to properly protect customer data.

The company said during a press conference that the attackers accessed its systems using compromised credentials obtained from a hacker on a Russian cybercriminal forum. Medibank also said it has strengthened its cybersecurity stance and that the hackers have been eliminated from its network.

Related: Medibank Confirms Broader Cyberattack Impact After Hackers Threaten to Target Celebs

Related: Data Breach at Australian Telecoms Firm Optus Could Impact Up to 10 Million Customers

Related: Australia Flags New Corporate Penalties for Privacy Breaches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.