Medibank withholds Deloitte findings into cyberattack

Medibank withholds Deloitte findings into cyberattack

Private healthcare insurer Medibank (ASX: MPL) has revealed it will not be sharing the findings of Deloitte’s report into a cyberattack that stole the personal data and health details of almost 10 million customers last year.

The breach saw hackers access information like customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers, as well as the passport numbers of international students. Following the attack, the majority of stolen customer data was dumped on the dark web via six zipped files.

In an announcement on the ASX today, the company told investors Deloitte had made recommendations to enhance Medibank’s IT processes and systems - a number of which the insurer has already implemented.

“Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank,” the company said.

A spokesperson also told Business News Australia the review includes confidential and sensitive information about the cyber security measures that Medibank has in place to protect customers and other data from malicious cyberattacks. 

“We don’t think it’s in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses,” the spokesperson said.

“We will continue to share lessons from the cybercrime with other Australian businesses where we can.”

The decision to withhold the findings comes a month after US-based firm Quinn Emanuel Urquhart & Sullivan launched legal proceedings against Medibankover the hack, alleging the insurer breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.  

While Australian law firms Maurice Blackburn LawyersBannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.

In December 2022, Maurice Blackburn also lodged a representative complaint against the insurer with the Office of the Australian Information Commissioner (OAIC) – a regulator that has the power to order compensation for affected customers.

“This cybercrime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve,” Medibank chair Mike Wilkins said.

“Medibank has completed a range of enhancements to meet this expectation and the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further.”

The hack is part of a growing trend of cyberattacks hitting Australian companies, including intellectual property law giant IPH Limited (ASX: IPH) and personal loans provider Latitude (ASX: LFS), the latter of which saw approximately 7.9 million Australian and New Zealand drivers licence numbers stolen from its systems one month ago.

Gordon Legal and Hayden Stephens and Associates (HSA) announced they were investigating potential legal action against the fintech and would investigate the circumstances surrounding the breach.

A cybercrime task force initially established by the Australian Federal Police (AFP) to protect those impacted by both the Optus and Medibank data breaches has also expanded its remit to cover the fallout from the Latitude hack.

Enjoyed this article?

Don't miss out on the knowledge and insights to be gained from our daily news and features.

Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.

Support independent journalism and stay informed with stories that matter to you.

Subscribe now and get 50% off your first year!

Four time-saving tips for automating your investment portfolio
Partner Content
In today's fast-paced investment landscape, time is a valuable commodity. Fortunately, w...
Etoro
Advertisement

Related Stories

Medibank shareholders launch new class action over cyberattack

Medibank shareholders launch new class action over cyberattack

Private health insurer Medibank (ASX: MPL) has been hit with a thir...

Medibank to fight class action lawsuit launched by global law firm Baker McKenzie

Medibank to fight class action lawsuit launched by global law firm Baker McKenzie

Baker McKenzie has become the fourth law firm to launch legal proce...

Triple threat: Australian law firms join forces to litigate Medibank data breach

Triple threat: Australian law firms join forces to litigate Medibank data breach

Three Australian law firms have partnered up to launch a landmark d...

Bannister, Centennial investigate class action against Medibank over data hack

Bannister, Centennial investigate class action against Medibank over data hack

Update (14 November): Since this story was published, another law f...