A cyber-attack against Australia’s largest private health insurer and subsequent threats to sell the stolen customer information has been described as a “dog act” by Home Affairs minister Clare O’Neil, who is also Minister for Cyber Security.
Ms O’Neil made the comments on Thursday, just hours after Medibank confirmed customer data, including some medical claims data and other personal and financial data, had been stolen.
Claims data includes the “location of where a customer received medical services, and codes relating to their diagnosis and procedures”. Other compromised data includes names, addresses, dates of birth, Medicare numbers, and phone numbers.
Australia’s privacy watchdog began preliminary inquiries into the cyber-attack on Thursday to “ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme”. The cyber-attack was also referred to the Australian Federal Police by Medibank on Wednesday.
Medibank first disclosed the incident last Friday, when it was forced to take two customer-facing system offline after detecting “unusual activity on its network”. At the time it said there was no evidence of compromise.
But on Wednesday, the health insurer was contacted by the alleged hackers, who claimed to have stolen 200GB of data and threatened to contact the 1000 most prominent customers with their own personal information, as reported by the Sydney Morning Herald.
Medibank on Thursday confirmed the validity of the reports, saying the “criminal has provided sample of records for 100 policies which we believe has come from our AHM and international student systems”.
Addressing the Medibank cyber incident on Thursday afternoon, Ms O’Neil said the confirmation that the sample data is from Medibank “tells us something about what a broader theft of data may look like in Medibank”.
She said the inclusion “numbers that indicate procedures and diagnoses about the health of Australia citizens” was particularly concerning.
“Financial crime is a terrible thing, but ultimately a credit card can be replaced,” she told reporters.
“The threat that is being made here to make the private, personal health information of Australians… available to the public is a dog act.
“And that is why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.”
Minister O’Neil said Medibank chief executive David Koczkar had agreed that officers from the Australian Federal Police and Australian Signals Directorate will be located within Medibank to ensure it has “every possible support… to ensure that this crime doesn’t result in harm”.
Do you know more? Contact James Riley via Email.