medibank logo

Medibank customers’ personal data compromised by cyber attack

Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers.

Although Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data.

Stolen data

The cybercrime investigation shows that the criminal had access to:

  • All ahm customers’ personal data and significant amounts of health claims data
  • All international student customers’ personal data and significant amounts of health claims data
  • All Medibank customers’ personal data and significant amounts of health claims data

This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems.

The provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.

The claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified.

Not just current customers

Medibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers’ data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

What to do?

Medibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.

Until the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia.

Medibank provides comprehensive support package for customers who have had their data stolen which includes:

  • Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
  • Free identity monitoring services for customers who have had their primary ID compromised
  • Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime

And they are offering all customers access to:

  • Specialist identity protection advice and resources from IDCARE
  • Medibank’s mental health and wellbeing support line

This and any new information can be found on Medibank’s webpage about the cybersecurity incident.

As always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.