Australia’s Top Health Insurer Hacked

Australia has suffered another highly damaging data breach, after that country’s leading health insurer was hacked.

Medibank Private confirmed on Thursday a ‘cyber incident’, which it said was being investigated by the Australian Federal Police as a crime.

Unfortunately, it seems that hackers have stolen 200GB of Australian patient data, including names, addresses, phone numbers, dates of birth, financial data, and in some case actual medical data.

Medibank hack

“Medibank has been contacted by a criminal claiming to have stolen data and who has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems,” the firm stated.

“The criminal also claims to have stolen other information, including data related to credit card security,” it added. “This has not yet been verified by our investigations.”

The health insurer said it working around the clock to understand what additional customer data has been affected and how this will impact them.

“We are making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next,” the firm stated. “We expect the number of affected customers to grow as the incident continues.”

Medibank urged customers to remain vigilant, and encouraged them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au

It also said it would never contact customers requesting passwords or other sensitive information.

“Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly,” it said.

Medical records

This breach is potentially huge, as Medibank Private covers one-sixth of Australians.

The country only has a population of 25 million, meaning potentially 4 million people have been impact.

Until now the concern has centred around the risk the hackers would use stolen financial data to access people’s bank accounts.

However the Sydney Morning Herald reported that it obtained a message from a person claiming to be the Medibank hacker, who reportedly threatened to publish confidential medical records of high-profile individuals unless the person was paid.

Compromises of medical data has happened before.

In 2019 for example, a nation state hacker compromised Singapore’s government health database and stole the medical records of at least 1.5 million people, including the medical records of Prime Minister Lee Hsien Loong.

Optus hack

News of the Medibank Private comes hot on the heels of the hack of Australia’s second largest mobile operator Optus, owned by Singapore Telecommunications Ltd.

The breach of Optus impacted up to 10 million Australians and stolen data included customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.

The Australia government did not hold back on making its anger at the breach known, and demanded that Singapore Telecommunications must pay for replacement ID documents including passports, which the firm agreed to do.