Medibank cyberattack update: Insurer refuses to pay ransom

The Australian health insurance giant Medibank has delivered an update on the massive data breach it recently suffered, which resulted in the leaking of the personal data of around 9.7 million current and former clients.

The insurer has announced that it will not pay the ransom demand of the criminal responsible for this data theft.

In a statement, Medibank said: “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

Medibank noted that this decision is consistent with the position of the Australian Government. The insurer revealed that based on its investigation into the incident, it believes the criminal has accessed the name, date of birth, address, phone number and email address of around 9.7 million current and former customers and some of their authorised representatives.

The figure represents about 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers. In addition, the threat actor is thought to have gained access to:

• Medicare numbers (but not expiry dates) for ahm customers
• Passport numbers (but not expiry dates) and visa details for international student customers
• Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Health provider details, including names, provider numbers and addresses

Thus far, the investigation has found that the threat actor does not appear to have accessed credit card and banking details, primary identity documents (such as drivers’ licences, for Medibank and ahm resident customers) and health claims data for extras services (such as dental, physio, optical and psychology). The insurer said it believes that all of the customer data accessed could have been taken by the criminal.

How Medicare is responding

In a Press release, Medibank acknowledged the distressing nature of the crime and apologised unreservedly to its customers.

“We will continue to inform affected customers of what data we believe has been accessed or stolen and provide advice on what they should do,” the insurer said. “This will be done via email or letter and in some cases via phone.”

The organisation has expanded its dedicated Cyber Response Support Program for our customers to now include:

• A cybercrime health & wellbeing line (1800 644 325)
• A mental health outreach service
• Its Better Minds App
• Personal duress alarms – for customers particularly vulnerable and/or with safety risks 

As previously reported, the insurer highlighted that premium increases have been deferred for Medibank and ahm customers. These were scheduled to rise on November 01, 2022, and will now occur on January 16, 2023.