Medibanks stolen data • What should customers do now? 😟🤔
The health insurance provider first reported “unusual activity” on its network on 13 October – and it was initially believed no customer data had been removed from its systems.
An alleged hacker group then contacted Medibank wishing to negotiate over a set of reportedly stolen customer data, which the insurance provider said was limited to a subset of international students, and to its budget insurance sub-brand, ahm. Since then, further files received “from the criminal” contain Medibank, ahm and international student customer data.
It was later revealed on 26 October that the data of all its 3.9 million policyholders had been compromised.
Medibank CEO David Koczkar said he “unreservedly apologises to our customers who have been the victims of this serious crime.”
“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me,” he added.
This cyber crime event is currently subject to criminal investigation by the Australian Federal Police (AFP), for which Medibank is offering ongoing assistance. In addition to continuing investigations and communicating the unfolding developments of this incident, Medibank is also taking a number of customer-focused measures, including a new “comprehensive customer support package”.
Medibank said this will include “24/7 mental health and wellbeing support,” support for “customers who are in uniquely vulnerable positions”, and access to specialist identity protection advice with IDCARE, Australia and New Zealand’s national identity and cyber support service.
So how much customer data has actually been stolen?
While it has been revealed the data of all its 3.9 million policyholders has been compromised, that number is likely to be a lot more. In the past two years alone, more than 1.5 million Medibank customers have changed funds – with the company having churn rates of 14 and 25 per cent respectively in 2021 and 2020. Medibank is legally required to retain customer information for seven years for adults and up to 25 years for children, creating a honeypot for cyber criminals.
Medibank is still calculating the total number of former customers with data exposed in the breach.
“Our investigation has now established that the criminal had access to: all AHM customers’ personal data and significant amounts of health claims data; all international student customers’ personal data and significant amounts of health claims data; all Medibank customers’ personal data and significant amounts of health claims data,” Mr Koczkar said.
But chief executive David Koczkar refused to say whether the group would pay a ransom to the cyber criminals, despite saying he expects the mass theft of customer data — including health records and Medicare numbers — to cost the company at least $25-35m.
What should customers do?
For Medibank’s nearly 4 million customers, the health insurer warns to remain vigilant of “suspicious communications received via email, text or phone call.”
The company said it will never contact customers in request of passwords or sensitive information, and encourages customers to utilise its cyber response hotlines via phone (for ahm customers 13 42 46, and for Medibank customers 13 23 31).
Finally, Medibank said customers can also speak to its experienced and qualified mental health professionals for advice or support around mental health.
But aside from relying on support from Medibank and the government there are four basic steps that customers can take to try and stay and safe online as possible.
- Enable multi-factor authentication across your email, bank and social media accounts to make it impossible for a hacker to log in with just your password. Multi-factor authentication means a hacker might steal your PIN or password, but they will still need another proof of identity to gain access to your accounts
- Regularly check transactions across your bank accounts and keep an eye on your credit score for any unusual activity
- Never disclose your personal or banking information over the phone or online unless you can verify the legitimacy of the request
- Avoid clicking any suspicious links or attachments or emails
What to do if a data breach involves your:
Call for help if you’ve been impacted
If you are concerned that your data may have been caught up in the cyber attack, you can contact Medibank on 13 23 31, or ahm on 13 42 46.
The company says it has increased its call centre staffing numbers to respond to customer inquiries.
If you have been impacted, you can contact IDCARE on 1800 595 160 to limit the damage of identity theft. Then alert your bank.
Specialist services avaiable to you
The company is also providing access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary ID compromised, and reimbursement of fees for reissue of identity documents that have been fully compromised.
If your Medicare card number has been exposed and you are concerned, you can replace your Medicare card for free. You can do this using your Medicare online account through myGov, the Express Plus Medicare mobile app, or calling Medicare.
Services Australia has also put in place additional security measures to protect customer information.
If you believe there has been unauthorised activity in your Medicare account, you can call the Services Australia Scams and Identity Theft Help Desk, who can help secure your account if it’s been compromised, on 1800 941 126.
Following the recent slew of Australian data breaches, including Optus, Telstra and Medibank, Cyber Security Minister Clare O’Neil warned cyberattacks of this nature would only increase. “This is the new world that we live in. We are going to be under relentless cyberattacks, essentially from here on in.”
In an effort to combat the onslaught of cyber crime in recent weeks, the Albanese Government has flagged a new law impacting data breach penalties, as well as expected reforms to the Privacy Act.
To ensure you are up to speed on how best to identify email or SMS scams, read our articles below:
- Investment scams most successful with people aged 55 to 64
- How to check suspicious email links on your mobile or tablet
- Tricks to help you identify potential email scam attacks
- 8 tips to avoid falling victim to cybercrime
- Australia’s 3 biggest cyber threats that target over 60s
- The 3 most common types of investment scams
- Aussies over 65 become the largest group of victims being scammed
Subscribe to our newsletter