cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Medibank admits all customer data compromised by cyber attack

In a “distressing development”, Medibank has disclosed that the cyber attack on its customers is much larger than initially thought with the private health insurer admitting that all personal data from its customers had been accessed by the cyber criminal.

user icon Nastasha Tupas
Thu, 27 Oct 2022
Medibank admits all customer data compromised by cyber attack
expand image

In a statement, the private health insurer outlined its investigation had established all Medibank, ahm and international student customers’ personal data, current and past, had been accessed in the cyber attack.

A significant number of health-claims data were also accessed, and Medibank is yet to determine whether that means the data has been actually stolen.

The cyber criminal had access to the data of at least four million Medibank customers, including some health claims the private health insurer has confirmed, noting that the number of affected customers is expected to grow substantially as the investigation continues.


Many current and former customers, including international student customers and their parents overseas, are concerned about safety issues.

It is compulsory for all international students to purchase overseas student health cover (OSHC) to meet their visa conditions. In an ABC report, past and present Medibank customers including international student customers have expressed major concern about being targeted by scammers.

The Medibank data hack is shaping up to be much worse than the cyber attack that hit Optus a few weeks ago, with medical information involved, according to cyber security experts.

According to Medibank, holding onto past customers’ data is a legal requirement, which was why past customers could be caught out by this breach. Under the Health Records and Information Privacy Act 2002 (NSW), Health Records Act 2001 (VIC), and Health Records (Privacy and Access) Act 1997 (ACT), it is mandatory for the private health insurer to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

As seen in recent weeks, large enterprises in Australia continue to be hot targets for cyber criminals, Mark Lukie, director of solutions architects, APAC at Barracuda noted, due to the abundance of sensitive information housed in their online systems.

“This come as a time when according to The State of Cyber Resilience in Australia 2022 report, 60 per cent of Australian employees assume links in emails are safe to click on if the message came through the corporate email system, and 22 per cent download and install unapproved software onto devices used for work.

In the light of the current environment, the new legislation highlights the need for companies of all sizes to have a coherent security strategy to protect their data and to ensure that employees are well versed in ongoing security awareness training.”

These practices need to be both integrated into everyday business operations, Lukie explains, and battle-tested in order to prevent a catastrophic breach.

In addition, patching aggressively, creating backups and prioritising any adherence to specific industry compliance are crucial to protecting valuable data and ensuring that sensitive information remains protected,” Lukie said.

Michael Bovalino, ANZ country manager at LogRhythm, added that harsher penalties and fines would ensure that board of directors and executives place security at the forefront of the company’s primary areas of focus and strategic planning.

At the same time, enterprises need to put protection in place to secure sensitive and valuable information that is stored in their systems.

Not only should businesses review their processes and continue to educate their users, but they should also implement best practices for password hygiene, threat detection, preventative controls and response controls if they really are serious about identifying cyber criminal activity before it takes hold and maintaining customer trust,” Bovalino concluded.

[Related: Data rights advocates warn real estate sector security breach would be chaos]

Nastasha Tupas

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.