)
Private healthcare insurer Medibank (ASX: MPL) has revealed it will not be sharing the findings of Deloitte’s report into a cyberattack that stole the personal data and health details of almost 10 million customers last year.
The breach saw hackers access information like customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers, as well as the passport numbers of international students. Following the attack, the majority of stolen customer data was dumped on the dark web via six zipped files.
In an announcement on the ASX today, the company told investors Deloitte had made recommendations to enhance Medibank’s IT processes and systems - a number of which the insurer has already implemented.
“Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank,” the company said.
A spokesperson also told Business News Australia the review includes confidential and sensitive information about the cyber security measures that Medibank has in place to protect customers and other data from malicious cyberattacks.
“We don’t think it’s in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses,” the spokesperson said.
“We will continue to share lessons from the cybercrime with other Australian businesses where we can.”
The decision to withhold the findings comes a month after US-based firm Quinn Emanuel Urquhart & Sullivan launched legal proceedings against Medibankover the hack, alleging the insurer breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.
While Australian law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.
In December 2022, Maurice Blackburn also lodged a representative complaint against the insurer with the Office of the Australian Information Commissioner (OAIC) – a regulator that has the power to order compensation for affected customers.
“This cybercrime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve,” Medibank chair Mike Wilkins said.
“Medibank has completed a range of enhancements to meet this expectation and the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further.”
The hack is part of a growing trend of cyberattacks hitting Australian companies, including intellectual property law giant IPH Limited (ASX: IPH) and personal loans provider Latitude (ASX: LFS), the latter of which saw approximately 7.9 million Australian and New Zealand drivers licence numbers stolen from its systems one month ago.
Gordon Legal and Hayden Stephens and Associates (HSA) announced they were investigating potential legal action against the fintech and would investigate the circumstances surrounding the breach.
A cybercrime task force initially established by the Australian Federal Police (AFP) to protect those impacted by both the Optus and Medibank data breaches has also expanded its remit to cover the fallout from the Latitude hack.
Get our daily business news
Sign up to our free email news updates.
)
)
)
)
)
