Health insurance giant Medibank customers may have had deeply personal information like abortion and mental health history hacked by criminals in a major cyber security breach last week.
The stolen data includes codes for medical conditions they have been diagnosed with including their sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
It has been a nightmare month for Australian companies with the likes of telco’s Optus and Telstra and online retailer MyDeal all reporting significant customer data breaches.
While initially playing down the impact of the attack, on Wednesday the company confirmed it had been contacted by the criminals who claim to have stolen 200GB of data.
“The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems,” the company said in a statement.
Home Affairs and Cybersecurity Minister Clare O’Neil said while Medibank had about 3.7 million customers, the breach targeted customers using the “ahm” and “international student” policies that account for a much smaller group of people.
After calling the hacks a “dog act” earlier this week, she told the Today show they were her main priority as Cybersecurity Minister and assured the public that the government was working with Medibank to stop the sensitive data from doing irreparable harm to customers.
“In fact we have actually agreed with Medibank to bring staff into their organisation to help them try to stop the really irreparable harm from coming from what has been a bad cyber incident in this country,” Ms O’Neil said.
“The problem with these cyber attacks, these are ordinary Australians who probably don’t have particularly deep pockets, normal people who trust companies with their data and believe that something like health information is always going to be protected.”
Data accessed by the criminals includes first and last names, phone numbers, addresses, dates of birth, Medicare numbers, policy numbers and claims data relating to medical procedures.
“The data is very specific to the procedure,” chief executive David Koczkar told the Australian.
“We know people are going to be very anxious, we absolutely hear that.”
The criminal also claims to have stolen other information, including data related to credit card security, which has not yet been verified by Medibank, the company said.
Medibank said it was in the process of notifying individual customers if their information had been affected and informing them of what steps to take.
The breach is being investigated by the Australian Federal Police with officers placed within Medibank to help minimise the fallout from the breach.
Ms O’Neil said Medibank initially “assured” the government no customer data had been affected by last week’s breach and that the malicious actors had been removed.
It was subsequently revealed the criminals had made contact with the company and were claiming to have accessed significant amounts of data and were demanding to enter into negotiations.
The data was effectively being held for ransom, Ms O’Neil said.
Medibank said the number of affected customers is expected to grow as the incident continues to unfold.
“I unreservedly apologise for this crime which has been perpetrated against our customers, our people, and the broader community,” Mr Koczkar said.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Business News Click Here