Medibank admits ransomware attack is far worse than previously thought

A close up of a digital display showing the Medibank logo partially obscured by red and blue balloons
(Image credit: Getty Images)

Medibank has revealed that 9.7 million current and former customers have been affected by a cyber attack on the company's systems in October, with those affected being substantially higher than previously thought.

The company, one of Australia’s largest health insurance providers, disclosed on 19 October that it had been hit by a cyber attack and was negotiating with the attackers. A week later, Medibank said the attacker had access to all of its 3.9 million customer data and hinted that the number of affected customers in the attack could grow substantially.


Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes


Following an investigation, the company has now revealed the attacker gained access to the data of 9.7 million current and former customers. It said that it’s required by law to retain certain customer information, including former customers, for particular periods of time, generally for seven years from when a customer leaves the company, but sometimes longer.

The 9.7 million figure represents around 5.1 million Medibank customers, 2.8 million customers belonging to Medibank subsidiary Ahm, and around 1.8 million international customers. The attacker also accessed Medicare numbers for Ahm customers, and passport numbers and visa details for international student customers.

Health claims data for around 160,000 Medibank customers were also accessed, as well as those belonging to 300,000 Ahm customers, and 20,000 international customers. This included service provider name and location, the location where customers received medical services, and codes associated with diagnosis and procedures administered.

The company also has decided that it will not make a ransom payment to the attacker responsible for the data theft. It said this decision is consistent with the position of the Australian government.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank CEO David Koczkar.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

The company added that it believes that all of the customer data accessed could have been taken by the hackers. It advised customers to remain vigilant as the attackers could publish the data online or attempt to contact customers directly.

Medibank added that its business operations weren’t affected during the cyber attack and that it hasn’t detected any more suspicious activity inside its systems since 12 October 2022. It has also boosted its existing monitoring capabilities, added further detection and forensics capabilities, and scaled up analytical support through third parties.

This comes as the Australian government is looking to introduce tougher penalties for serious privacy breaches after the country has been exposed to a number of cyber attacks recently.

In October 2022, the attorney general said the maximum penalty will rise from $2.22 million (£1.2 million). Companies will be fined a new maximum of whatever is greater of three potential numbers: 30% of a company's adjusted turnover in the relevant period, three times the value of any benefit obtained through the misuse of information, or $50 million (£27 million).

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.