Medibank told analysts and investors on a conference call this morning it had closed off holes where it had found a breach, but wouldn’t guarantee that the hacker no longer had access to its systems.
“It’s an ongoing forensic analysis,” said Medibank’s technology chief John Goodall. “Everywhere we’ve identified a breach it’s now closed.”
In light of the crippling attack, management has withdrawn forecasts for policyholder growth and said it would update the market later in the year. The company estimates that it will have to spend $25 million to $35 million to improve its cybersecurity, contact customers and investigate the breach in the first half of the 2023 financial year. But the company confirmed that it lacks cyber insurance and flagged that it could not quantify the overall cost of the incident. Potential risks include regulatory action, customer remediation and lawsuits.
Koczkar said he “apologised unreservedly” to customers.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data,” he said in a statement.
The company is now focused on establishing exactly what health claims data, and for which customers, the criminal had access to.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.”
“As we’ve continued to say we believe that the scale of stolen customer data will be greater, and we expect that the number of affected customers could grow substantially.”
Koczkar declined to say if Medibank has received a ransom demand from the hackers, citing the ongoing investigation by the Australian Federal Police.
He did confirm to this masthead that communications with the hacker have resulted in the company receiving more files of customer data.
“I would say we received a series of files,” he said without clarifying further. “The two files that we’re sure about, that we have talked about, impacts 1,100 AHM customers and includes their personal and some health claims data. There are a whole series of other files, some of which don’t include anything, some of which include some personal and health claims data.“
The stolen data is from current and former customers and includes names, addresses, birthdates, Medicare numbers, contact information and claims data from the private health insurer. The list of Medibank customers affected potentially includes high-profile Australians.
The hackers have also claimed to possess credit card information, although Medibank said there was no evidence – at this stage – that this is the case, but emphasised that its investigations are continuing.
Loading
Medibank announced a support package for affected customers, which includes hardship provisions to provide financial assistance to customers who are in a uniquely vulnerable position as a result of this crime. It is also allowing access to Medibank’s mental health and wellbeing support line for all customers, including customers of its budget ahm service.
The group is also giving affected customers access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary ID compromised and reimbursements for the “re-issue of identity documents that have been fully compromised in this crime.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
For all the latest Business News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
