An Australian health insurer’s customer data – including diagnoses and treatments – is being held for ransom by a cyber criminal in the nation’s second major privacy breach in a month, officials have said.
Trade in Medibank shares has been halted on the Australian Securities Exchange since Wednesday when police were alerted that the company had been contacted by what it described as a “criminal” who wanted to negotiate over the stolen personal data of customers.
Medibank, which has 3.7 million customers, said the criminal had provided a sample of 100 customer policies from a purported haul of 200 gigabytes of stolen data.
Details included customer names, addresses, birth dates, national health care identification numbers and phone numbers.
Cyber security minister Clare O’Neil said most concerning was that records of medical diagnoses and procedures had also been stolen.
An update on the cyber incident on Medibank.
While facts are still being established, Medibank has been working closely with the @asdgovau and the @ausfedpolice to try and manage the situation and protect customers’ data. pic.twitter.com/gGSUirhg5T— Clare O'Neil MP (@ClareONeilMP) October 20, 2022
Ms O’Neil told reporters: “Financial crime is a terrible thing. But ultimately, a credit card can be replaced.
“The threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act.”
The Medibank breach, which Ms O’Neil described as a “ransomware attack”, came a month after a cyber attack stole from telecommunications company Optus the personal data of 9.8 million customers.
The Optus breach, which compromised the personal data of more than a third of Australia’s population, prompted the government to propose urgent reforms to privacy laws that would increase penalties for companies that fail to protect customers’ data and limit the quantity of data that can be retained.
Ms O’Neil said cyber crime was a growing problem around the world and that Australia needs to be better prepared for it.
“We are going to be under relentless cyber attack essentially from here on in, and what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data and also for citizens to be doing everything that they can,” she told the Australian Broadcasting Corp.
“Combined with Optus, this is a huge wake-up call for the country and certainly gives the government a really clear mandate to do some things that frankly probably should have been done five years ago, but I think are still very crucially important,” she added, referring to privacy law reforms that the government hopes to pass through parliament this year.
Medibank chief executive David Koczkar said his company was working with specialised cyber security firms as well as police and government experts in response to the breach.
“I unreservedly apologise for this crime which has been perpetrated against our customers, our people and the broader community,” Mr Koczkar said in a statement.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment,” he added.