It is too soon to determine the full extent of the customer data that has been stolen
There has been a further development in Medibank’s cybercrime event, which is subject to a criminal investigation by the Australia Federal Police (AFP).
It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.
This is a distressing development and Medibank unreservedly apologises to our customers.
Here is what we can update
We have received a series of additional files from the criminal. We have been able to determine that this includes:
- A copy of the file received last week containing 100 ahm policy records – including personal and health claims data
- A file of a further 1,000 ahm policy records – including personal and health claims data
- Files which contain some Medibank and additional ahm and international student customer data
Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen. We will continue to analyse what we have received to understand the total number of customers impacted, and specifically which information has been stolen.
We have taken the step of making this announcement as we believe it is important to notify our customers of this development.
As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds.
What we are doing now
Medibank is assisting the AFP in its ongoing investigation.
Today we will announce a comprehensive customer support package, which will include:
- 24/7 mental health and wellbeing support
- Support for customers who are in uniquely vulnerable positions
- Access to specialist identity protection advice with IDCARE for all customers
Given the distress this crime is causing our customers we will also defer premium increases for Medibank and ahm customers until 16 January 2023.
Last week, we began directly contacting affected customers to provide support and guidance on what to do next. As a result of today’s update, we will begin contacting current and former customers to recommend steps they could take. We will also begin contacting customers whose data we now know has been compromised.
What should customers do
Medibank urges our customers to remain vigilant to suspicious communications received via email, text or phone call.
We encourage customers to review the advice of:
- The Australian Cyber Security Centre (ACSC) at cyber.gov.au
- The Australian Government factsheet which has been developed for affected customers
Medibank and ahm will never contact customers requesting passwords or other sensitive information.
All Medibank and ahm customers can contact our cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates (https://www.medibank.com.au/health-insurance/info/cyber-security/).
Our customers can also speak to Medibank’s experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).
Ongoing investigation
In addition to supporting the AFP criminal investigation, Medibank continues to work with specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.
Medibank will continue to provide regular, transparent updates.
Medibank CEO David Koczkar said
“I unreservedly apologise to our customers who have been the victims of this serious crime.
“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people, and the community – as it is to me.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.
“We continue to work closely with the agencies of the Federal Government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”
For the avoidance of doubt the voluntary suspension continues until the earlier of a release of a further announcement by Medibank and commencement of normal trading on Wednesday 26 October 2022.