SYDNEY, Australia — Hackers have accessed millions of medical records at one of Australia’s largest private health insurers Medibank, the company said Wednesday, prompting the government to acknowledge that national cyber safeguards are “inadequate”.
Medibank private health insurer says 3.9 million customer files ransomed by hackers; amid spate of recent incidents, home affairs minister warns damage ‘potentially irreparable’
It was the latest in a series of hacks targeting millions of people that have significantly eased Australian companies’ lax approach to cyber security.
Medibank chief executive David Koczkar said information on every one of the company’s 3.9 million policyholders – about 15 per cent of Australia’s population – had been compromised.
“Our investigation has now established that this criminal had access to all of our private health insurance customers’ personal information and a significant amount of their health claims data,” he said in a statement to the Australian Stock Exchange.
“This is a terrible crime. This is a crime designed to cause maximum harm to the most vulnerable members of our community.”
The cyberattack was revealed last week, but it was not yet known how many people were affected.
Hackers have previously threatened to leak data, starting with 1,000 famous Australians, unless Medibank pays the ransom.
Medibank also confirmed on Wednesday that it is not insured against cyber attacks, with estimates that the hack could cost the company up to Au$35 million ($22 million).
The Medibank hack followed an attack on telecoms company Optus last month that exposed the personal data of about nine million Australians – almost a third of the population.
The Optus attack was one of the biggest data breaches in Australian history.
‘Inadequate’
Australia’s Attorney-General Mark Dreyfus has previously accused companies of hoarding sensitive customer data they don’t need.
Businesses currently face paltry fines – Au$2.2 million – for failing to protect customer data.
Dreyfus said last week that those fines would be increased to up to A$50 million.
“Unfortunately, significant privacy breaches in recent weeks have shown that existing safeguards are inadequate,” he said.
“It is not enough that a penalty for a serious data breach is considered the cost of doing business.”
Home Secretary Clare O’Neil said on Tuesday that the impact of the Medibank hack was “potentially irreparable”.
“One of the reasons the government is so concerned about this is the nature of the data,” she told the Australian parliament.
“When it comes to the personal health information of Australians, the damage here is potentially irreparable.”
O’Neil has previously described hacking as a “dog act” – an Australian phrase reserved for something particularly shameful or despicable.