Australia's largest private health insurer Medibank says the personal customer data on all of its 4 million customers, and an unknown number of former customers, has been accessed by hackers.
Medibank was alerted to a cyber security attack on 13 October, but initially said it didn't believe any customer data had been accessed.
In an update to the ASX on Wednesday 26 October, the company says an investigation has established that all AHM and Medibank customers' personal data along with a "significant amount" of health claims data has been breached.
"The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal," says Medibank CEO David Koczkar.
"As we've continued to say, we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially. I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community."
Customers in the dark on details
In the wake of the Optus data breach last month, we shared top tips from cyber security experts on how to protect yourself if caught up in the telco breach.
Advice included changing online passwords, setting up two-factor authentication for sensitive accounts, replacing identity documents that had been breached, being wary of monitoring for scams, and signing up for credit reporting.
Medibank still hasn't told individual customers what data has been breached and what documents might be in the hands of the cyber criminals
But the situation for Medibank customers is complicated by the fact that the company still hasn't told individual customers what data has been breached and what documents might be in the hands of the cyber criminals.
Medibank says it will provide free "identity monitoring services" for customers who have had their primary ID compromised, and will also reimburse the fees for re-issue of identity documents that have been fully compromised.
The health fund did not provide additional information as to how many customers this would apply to.
Privacy Act not fit for purpose
Kate Bower, consumer data advocate at CHOICE, says the Medibank data hack was a "breach of trust" that highlights flaws in the Privacy Act.
"Customers are understandably angry and frustrated. Medibank needs to prioritise their customers by notifying them directly about the extent of the breach and what they are doing to remediate the harms," she says.
The Medibank data breach is another wake up call that ... regulators are unable to protect Australians and their dataCHOICE consumer advocate Kate Bower
"The Medibank data breach is another wake up call that the Privacy Act is not fit for purpose and regulators are unable to protect Australians and their data. As with Optus, customers are left mopping up the mess made by big business and with no entitlement to compensation."
Stronger penalties are a start, Bower says, but "we need to stop over-collection of our data and give regulators the power and resources to enforce the law."
Stock images: Getty, unless otherwise stated.