Private health insurer Medibank Private (ASX: MPL) has this morning confirmed that a cybercriminal is in possession of customer data, including personal and health claims information.
The development is a major escalation of the situation from when Medibank officials reported that the company was hit by an attempted ransomware attack last Monday. Three days later the company announced it was treating a ransom threat over customer data 'seriously', but said its systems had not been encrypted by ransomware.
According to the insurer, today's ‘distressing development’ follows an investigation by the Australian Federal Police (AFP) which determined that the cyber criminal has at least 1,100 ahm and Medibank policy records and some international student customer data.
“Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen,” says Medibank Private.
“We will continue to analyse what we have received to understand the total number of customers impacted, and specifically which information has been stolen.
“We have taken the step of making this announcement as we believe it is important to notify our customers of this development.”
The company, which has close to 4 million customers, says it will continue to assist the AFP in its ongoing investigation, and is set to announce a comprehensive customer support package.
This will include 24/7 mental health and wellbeing support, assistance for customers who are in ‘uniquely vulnerable positions’, and access to specialist identity protection advice with IDCARE for all customers.
“Given the distress this crime is causing our customers we will also defer premium increases for Medibank and ahm customers until 16 January 2023,” says Medibank.
“Last week, we began directly contacting affected customers to provide support and guidance on what to do next. As a result of today’s update, we will begin contacting current and former customers to recommend steps they could take. We will also begin contacting customers whose data we now know has been compromised.”
The insurer has urged customers to remain vigilant to suspicious communications received via email, text or phone call, and review the advice of the Australian Cyber Security Centre.
Medibank Private CEO David Koczkar has ‘unreservedly’ apologised to all customers who have been the victims of this cybercrime.
“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me,” Koczkar said.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.
“We continue to work closely with the agencies of the Federal Government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”
Shares in Medibank remain in a trading halt until Wednesday 26 October.
Get our daily business news
Sign up to our free email news updates.