Written by staff writer.
The people behind the mid-October Medicare Private cyber-attack have released what is believed to be the full set of stolen raw data. After weeks of small data drops on the dark web, the hackers uploaded six zipped files containing 5GB of compressed data on Thursday morning, Australian east coast time, with the message “Happy cyber security day!!! Added folder full. Case closed.”
During the cyber-attack, the hackers downloaded the personal information of approximately 9.7 million current and former customers of Medibank Private and its subsidiary health insurance brands. However, Australia’s largest private health insurer has refused to pay the AUD14.7 million ransom demand.
“We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank Private CEO David Koczkar last month.
In a statement to media organisations, Medibank Private says they are still working through Thursday’s big data dump and say that even though much of it is incomplete and hard to understand, their preliminary view is that the zip files do contain all of the stolen data.
“While our investigation continues, there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud,” the health insurer says. Critically, nearly two months after the breach, Medibank Private believes the hackers did not access customer credit card details or primary identity document details.
But Medibank Private confirms that the hackers downloaded the names, dates of birth, addresses, phone numbers and email addresses of its 9.7 million current and former customers during the breach. They say that the health claims data of approximately 160,000 Medibank customers, 300,000 ahm customers and around 20,000 international customers was accessed. At the same time, about 5,200 My Home Hospital patients have had some personal and health claims data accessed.
“Again, I unreservedly apologise to our customers,” said Koczkar this week. The release of the complete data set coincides with the news that legal firm Maurice Blackburn is working on a class action against the health insurer. Maurice Blackburn has written to Medibank Private saying that they intend to file a representative complaint with the Office of the Australian Information Commissioner (OAIC) and asking for a response.
“Medibank is currently considering Maurice Blackburn’s letter and intends to respond in the time requested,” the health insurer says.
Meanwhile, also on December 1, the OAIC confirmed it was launching an investigation into Medibank Private’s handling of sensitive customer data. The investigation will examine whether the health insurer took sufficient steps to protect customer data. Medibank Private says it will fully cooperate with the investigation.
The OAIC has a similar investigation underway examining the Optus data breach. The OAIC has a broad range of powers, including seeking civil penalties through the Federal Court of up to AUD2.2 million for each contravention.
Preliminary OAIC investigations began soon after the data breach, with the agency looking at whether Medibank Private had complied with the Notifiable Data Breaches scheme. The continuing investigation will look at whether Medibank Private did enough beforehand to prevent the misuse, interference, loss, unauthorised access, modification, or disclosure of customer data.
