Millions of Medibank’s current and former customers have had their personal information, including health claims, exposed in a hack of the company’s customer database.
Here’s what we know so far and what you can do.
Am I affected?
If you are a customer of Medibank or its subsidiary ahm, or are an international student with Medibank, or you have been a customer in the last seven years or longer, it’s likely your data has been exposed in the breach.
The company has said 9.7 million current and former customers are exposed. That includes 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.
If you are a current or former customer of Medibank you’ve likely already received an email advising you about the hack itself. Medibank has also sent follow-up emails to customers whose health claims data has been posted on the dark web.
Medibank has also said former customers have been included in the records received so far, as the company is legally required to keep information for seven years after a person stops being a Medibank customer.
What personal information has been compromised?
Medibank has determined the hackers were able to obtain the following information for all customers, including Medibank, ahm and international student customers:
name
address
date of birth
gender
email
Medicare card number (in some cases)
health claims made with Medibank (in some cases)
Of these, the date of birth, address, Medicare card numbers and health claims would be of most concern for potential identity theft or extortion attempts.
The health insurer said the hackers obtained claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers. The exposed information included service provider names and codes associated with diagnosis and procedures.
What can I do about personal identification information being exposed?
Similar to the response to the Optus data breach, experts suggest not rushing out and changing everything. People should always seek to use strong passwords and multifactor authentication on their online accounts – not just with Medibank.
They can also advise their bank and other financial institutions to put in place additional security checks for their accounts (particularly for over-the-phone transactions).
For compromised Medicare numbers, Medibank has not yet advised how many or which customers are affected.
What can I do about my personal medical information being breached?
Unfortunately, at this stage, not a lot.
After Medibank refused to pay the ransom, the hackers began posting records on a blog on the dark web.
Claims associated with alcohol and drug use, mental health and terminating pregnancies have been released, along with hundreds of others. Medibank has said it has alerted those who have had their records posted on the dark web and will be providing direct support.
after newsletter promotion
The hackers then posted what Medibank has indicated is the full amount of data that was originally stolen from the Australian health insurer in 5GB worth of six compressed files.
But currently it is very difficult for someone to go through. Medibank says the data is in a “raw form”, disorganised and not in an easy-to-read format. The health claims data, for example, is not matched up with customers.
Can I check if I’m in the data dump?
Given the data is located on the dark web and is not in an easy-to-find format, it is best to leave it alone if you don’t know what you’re doing.
There’s no easy way to check if your data is included and it’s inadvisable to go searching for it yourself. The best bet is to see what Medibank has told you via email or call its call centre. The company has said it has put on extra staff to take calls about those who might be affected.
What will Medibank do for affected customers?
There will be a support package for affected customers, including:
Financial support for customers who “are in a uniquely vulnerable position” as a result of the hack. They will be supported on an individual basis
Access to Medibank’s health and wellbeing support line
Specialist ID protection services from IDCARE
Identity monitoring services for customers who have had their primary ID compromised
Reimbursement of fees for reissue of ID documents that were “fully compromised” in the hack
Is the government doing anything?
Federal government agencies, including the Australian federal police, are investigating the hack.
The AFP commissioner, Reece Kershaw, announced that through the investigation the AFP had determined the hackers were located in Russia and were believed to be associated with known hacker groups. The AFP has identified individuals involved and Kershaw said it would be seeking the support of Russian authorities to continue the investigation.
The home affairs minister, Clare O’Neil, has been in frequent contact with Medibank, and the national coordination mechanism was established to bring state and federal departments and agencies together on the breach along with Medicare. The mechanism has met eight times as of the end of October.
The government also passed legislation in November changing privacy law to impose harsher penalties of up to $50m for serious or repeated data breaches.