Cyber Security Minister Clare O’Neil has lashed out over the “irreparable harm” caused by the recent Medibank breach, which has seen Australian’s sensitive health records stolen and exploited.
Hackers have since contacted Medibank demanding a ransom, claiming to have lifted 200GB of personal data, including names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and claims data.
Medibank Private has requested for a voluntary suspension from the ASX while the issue is dealt with.
Australia’s biggest health insurer has 3.9 million current members, and countless past members, on its books.
“Financial crime is a terrible thing, but ultimately a credit card can be replaced,” Cyber Security Minister Clare O’Neil said.
“The threat that is being made here, to make the private, personal health information of Australians available to the public, is a dog act.”
Customers who left the insurers long ago have also had data breached in the data, prompting further discussion on why these companies are legally allowed to retain this information.
Medibank is required to keep customers record for seven years after they leave the insurer, and must keep children’s private records until they turn 25.
“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Medibank said.
“We expect the number of affected customers to grow as the incident continues. We understand that this development will be upsetting.”
Medibank CEO David Koczkar (above) has apologised for the breach.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment,” he said.
“We will learn from this incident and will share our learnings with others. Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.
“Based on our ongoing forensic investigation we are treating the matter seriously at this time.
“I understand that this may cause you some concern, and I apologise. I want to assure you that the protection of your data remains our priority.
“Our systems have not been encrypted by ransomware, which means usual activities for customers continue. However, our ongoing response to safeguard our networks and systems may require necessary temporary disruptions to our services.”
