Skip to content   Skip to footer navigation 

Customers 'horrified', 'frustrated' by Medibank's data hack response

Medibank customers caught up in the data hack tell CHOICE of their frustration at the insurer's poor response.

medibank logo and hanging phone receiver
Last updated: 17 November 2022


Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Current and former Medibank customers affected by the recent data hack are growing increasingly frustrated by what they describe as a lack of support and communication from one of Australia's largest private health insurers.

More than a month after reams of sensitive customer data fell into the hands of cybercriminals, some customers are still in the dark about whether their data has been stolen and, if so, what data the criminals have. Others say that trying to contact the company about the breach has been difficult, at best.

On 13 October 2022, Medibank announced it had detected suspicious activity on its network, but believed no customer data had been stolen.

The insurer later admitted that the data of four million Medibank and subsidiary AHM customers had been accessed by unknown hackers, revising that figure earlier this month up to 9.7 million current and former customers.

What customers are saying 

Poor communication

AHM customer Sarah Gatta says the company's communications have been spotty.  

"I'm pretty horrified by the lack of proper communication … I get that there are a lot of customers affected, but it's all put back on customers," she says. "I'm really disappointed." 

"They had time to call me and follow up about a quote, so the sales team is more active than [Medibank's] response to the cyber attack." 

Lack of information

Steve, who was a Medibank customer four years ago, reports that after multiple calls to the company and a 40 minute phone conversation, Medibank was unable to confirm or deny that his credit card details had been compromised. 

As a customer you need to know what action you need to take. I need to know if I need to get my bank to cancel the card 

Former Medibank customer Steve

"I was pretty frustrated," he says. "As a customer you need to know what action you need to take. I need to know if I need to get my bank to cancel the card. But how can you [take action] without the information?" 

Christopher Moore, a former AHM customer, says he has received two generic customer letters in the mail, but still hasn't heard anything specific from the company about whether his data has been breached. 

"If I don't need to worry about anything, then that would be good to know," he says.

Email adds to confusion 

Peter Slattery says he and his wife, both Medibank customers for over a decade, were surprised to see that the email Medibank sent them saying their data had been stolen contained 10 hyperlinks for further assistance. 

Scamwatch and other anti-scam organisations regularly warn customers not to click on links, no matter how official they look. The advice is to head directly to the webpage instead. 

Peter called the company to check if the email was legitimate, and says he waited on hold for an hour and 42 minutes. 

CHOICE: Medibank response is unacceptable

CHOICE consumer data advocate Kate Bower says Medibank's response, and the fact that some customers still hadn't been informed about what was stolen, is unacceptable.

"We know that cybercriminals are posting customer data on the dark web, so timeliness is critically important and customers rightfully expect better from Australia's largest health insurer," she says. 

Timeliness is critically important and customers rightfully expect better from Australia's largest health insurer

CHOICE consumer data advocate Kate Bower

"As consumers, we entrust businesses with our data and we expect they will keep it safe. When they don't, we expect timely and appropriate redress. Unfortunately, Australia's data privacy and security laws have been lagging behind the rampant over-collection of consumer data." 

CHOICE is pushing for stronger consumer and privacy protections in the current review of the Privacy Act due later this year. 

Medibank CEO gives update

We sent questions about customers' frustrations to Medibank, and the company responded by directing us to a speech from CEO David Koczkar to the company's annual general meeting on Wednesday.

In the speech he says the company has been "focused on communicating potential impacts to our customers and providing them with guidance and support". 

"I can confirm that in the last five weeks, we have regularly written to or spoken with our current and former customers to update them on the unfolding cybercrime. 

"Last week we began communicating with customers whose personal information we believe was stolen to advise them of the specific data that relates to them. And we have continued to email new groups of customers each day," he said. 

"Our customers can also contact us to understand what data has been accessed – we've extended call centre hours and we've increased our customer support team by more than 300 people," he added. 

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.