Medibank reveals damning extent of hack that could cost $35 million

A hacker against a red background
(Image credit: Getty Images)

Australia private health insurance provider Medibank has revealed that the cyber attack that hit the company earlier in October could set the company back by $35 million AUD (£19.5 million), at a time when the government has declared its rules around data breaches 'inadequate'.


Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes


The company predicts that, based on its current actions in response to the hack, and noting that it doesn’t have cyber insurance, it estimated it will have costs of around $25-$35 million which will impact its earnings. The costs do not include further potential customer and other remediations, regulatory, or litigation-related costs.

Hackers attacked Medibank earlier this month and said they would release a trove of stolen company data unless a ransom was paid.

The company originally believed that no customer data had been accessed during the attack, but said last week the hackers were willing to negotiate over the return of the stolen data. Medibank was working to urgently establish if the claim was true.

This comes at a time when the Australian government has described its current rules around data breaches as 'inadequate' and plans to raise the maximum penalty handed out to companies who suffer data breaches from $2.22 million (£1.2 million) to $50 million (£27 million).

It is unclear which figure will be applied to Medibank, as the hack took place before the new rules have come into force.

Medibank also disclosed today that the attacker had access to all of the company’s customer data, some 3.9 million records, which is equivalent to around 15% of the population of Australia.

The company added that the criminal has removed some of its customers’ personal and health claims data and it is now likely the attacker has stolen further personal and health claims data too. As a result, Medibank believes the number of affected customers could grow "substantially".

“Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data,” said David Koczkar, CEO at Medibank.

“As we’ve continued to say, we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially,” he added. “I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

The company will continue to work to understand the specific data that has been taken for each customer so it can contact them directly to let them know, it stated. It has also announced a support package for customers who are in a vulnerable position because of the crime.

This includes access to a mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, and free identity monitoring services. It will also provide reimbursement of fees for the re-issue of identity documents that have been fully compromised in the crime.

The company reiterated that its IT systems haven’t been encrypted by ransomware and normal business operations have been maintained with customers continuing to access health services.

Medibank also said it is prioritising preventing further unauthorised entry to its IT network and is continuing to monitor for any further suspicious activity. This includes bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties.

The cyber attack is subject to a criminal investigation by the Australian Federal Police (AFP) and Medibank is working with the police as well as the Australian Cyber Security Centre (ACSC) and government stakeholders.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.