Australian Health Insurance says all customer data has been hacked
CANBERRA, Australia (AP) – Australia’s largest health insurer said Wednesday that a cybercriminal had hacked the personal information of all 4 million of its customers, as the government introduced legislation that would increase penalties for companies that fail to protect clients’ private information.
Medibank said “significant amounts of health claims data” had also become available in the breach, which was reported to police a week ago when trading in the company’s shares was halted.
The thief has demanded a ransom and is said to have threatened to reveal diagnoses and treatments to high-profile customers.
Medibank said its priority was to discover the specific data that was stolen in relation to each customer and to share this information with those customers.
The company had previously said that the breach was believed to be limited to its subsidiary AHM and foreign students.
“Our investigation has now established that this criminal gained access to all of our private health insurance customers’ personal information and significant amounts of health claims data,” Medibank chief executive David Koczkar said in a statement to the Australian Securities Exchange.
“This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” Koczkar added, apologizing to customers.
The government has planned urgent legislative reforms to cyber security regulation since a hacker stole the personal data of nearly 10 million current and former customers of Optus, Australia’s second largest wireless telecommunications operator.
Optus became aware on September 21 that the personal data of more than a third of Australia’s population of 26 million had been stolen.
In introducing changes to the privacy law to parliament on Wednesday, Attorney General Mark Dreyfus named both companies and MyDeal, an online retailer that lost the data of 2.2 million customers in a hack disclosed two weeks ago.
“As the Optus, Medibank and MyDeal cyber attacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians and this is unacceptable,” Dreyfus told parliament.
“Governments, businesses and other organizations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset,” Dreyfus added.
The government is critical of companies that collect more customer data than necessary to make money from it in ways unrelated to the services for which the information was provided.
Penalties for serious breaches of the Privacy Act will rise from AU$2.2 million ($1.4 million) now to AU$50 million ($32 million) under the proposed changes.
A company could also be fined the value of 30% of its revenue over a defined period if that amount exceeded AU$50 million ($32 million).
Medibank said on Wednesday it did not have cyber insurance and estimated the hack would cut revenue by between AU$25 million ($16 million) and AU$35 million ($22 million) early next year.
The Medicare trading freeze was lifted on Wednesday and shares fell more than 14% in early trading.
