Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
National

All Medibank customers' personal data was compromised in the cyber attack. Who is at risk and what should customers do?

Millions of Medibank customers may have had their information stolen, with the company revealing hackers accessed the personal data of all customers across its Medibank, ahm and OSHC brands. 

Here is what we know and what Medibank has said to do if you are a customer.

What's the update?

In a statement on Wednesday morning, Medibank confirmed the criminal entity behind the hack had accessed all Medibank, ahm and international student customers' personal data and a "significant amount" of health-claims data.

The development came a day after Medibank confirmed that data from its main brand had also been compromised.

Medibank said it had come to this conclusion after being sent customer data by criminals that included data from all three entities.

Previously, Medibank said the breach only affected customers of its subsidiary, ahm, and data collected about international students studying in Australia who use Medibank under its OSHC service.

How many people are affected? 

Medibank hasn't confirmed the exact number of people affected.

But we now know that every Medibank, ahm, and international student customer's personal data, and a "significant amount" of health-claims data, was compromised.

That means about 4 million current and countless former customers across the three brands could be at risk due to the attack.

What should Medibank customers do?

All Medibank and ahm customers have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.

Medibank has initiated a dedicated cybercrime customer support package to respond to the breach which includes:

  • A hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, who will be supported on an individual basis
  • Access to Medibank's mental health and wellbeing support line for all customers, including ahm customers
  • Access to specialist identity protection advice and resources from IDCARE
  • Free identity monitoring services for customers who have had their primary ID compromised
  • Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime

The company has also established specialised teams to help customers who receive scam threats:

  • Medibank customers should send any suspicious emails or texts to scaminvestigations@medibank.com.au
  • ahm customers should email scaminvestigations@ahm.com.au.

Medibank has reminded customers to stay vigilant for possible scams and said it will never contact customers requesting passwords or other sensitive information.

Customers can also speak to Medibank's qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing by calling 1800 644 325.

What do we know about what was taken?

Medibank has confirmed the hacker had access to all customers' personal data and a "significant amount" of health-claims data.

Medibank says the criminal entity behind the attack showed the company a sample of customer records as proof of the hack.

Of the records supplied by the criminal entity, Medibank says the data includes:

  • First names and surnames
  • Addresses
  • Dates of birth
  • Medicare numbers
  • Policy numbers
  • Phone numbers
  • Data from claims made to the insurer

The data also includes details about where customers received medical services, the codes relating to their diagnosis and procedures.

The hacker also claims to have credit card details, however, this has not been verified by Medibank.

What happened last week?

Medibank first alerted the public to the cyber attack on October 13 but at the time it said there was no evidence that sensitive data had been accessed.

On October 19, Medibank issued a statement saying it received a message from a group claiming to be hackers.

The following day the company confirmed the hackers had sent a sample of 100 records believed to have been taken from Medibank's system.

As a result of the breach, Medibank halted trading on the share market.

It only resumed trading on Wednesday morning following a share price fall of 14 per cent.

What has Medibank said about the breach?

Due to its lack of cyber insurance, Medibank said it expected a one-off cost impact from the cyber breach of between $25 and $35 million.

But it was unable to estimate how much it might have to spend to compensate customers.

The company has also delayed planned premium increases for Medibank and ahm customers which were scheduled to rise on November 1.

The increase won't take affect until January 16, 2023

In a statement issued on Wednesday morning, Medibank CEO David Koczkar apologised unreservedly to customers and issued a warning about what might happen.

"Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data. The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal," Mr Koczkar said.

"As we've continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.

"This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.