This article is more than 1 year old

Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward

Australia's Medibank says it's been shown stolen data that includes details of treatments administered to customers

Updated Australian health insurer Medibank has revealed it's been contacted by a group that claims to have its customers' data and is threatening to distribute it.

As The Register reported last week, on October 13 the formerly government-owned insurer advised [PDF] it had spotted "unusual activity on its network" and had taken systems for sub-brand "ahm" offline, along with apps that deliver an insurance product for overseas students. The company said it could find no evidence that sensitive data had been accessed, but had hired cyber security firms to make sure it was on top of the situation.

An October 17, the company issued an update [PDF] describing the incident as "consistent with the precursors to a ransomware event" and explained it had taken down the apps mentioned above out of an abundance of caution, and had used the downtime to improve security across its operations.

The company's next update, on October 19, offered the following far nastier diagnosis:

Today Medibank Group has received messages from a group that wishes to negotiate with the company regarding their alleged removal of customer data

"This is a new development and Medibank … is working urgently to establish if the claim is true, although based on our ongoing forensic investigation we are treating the matter seriously at this time," the latest advisory adds.

The company, which listed on the Australian Securities Exchange (ASX) in 2014 after nearly 40 years as a government-owned non-profit insurer, advised the ASX that it was suspending trading of its shares amid likely disruptions to services.

Australian media report that whoever contacted Medibank has threatened to email personal data to people on the database, to prove they possess data describing the insurer's customers. If Medibank doesn't discuss payment to prevent wider release, the alleged attackers say they'll sell the data they lifted.

Australia's home affairs minister has rated the incident as "significant" and warned Australians that cyberattacks are the new – and unpleasant – normal.

The escalation of the incident comes after Singapore-owned Australian telco Optus leaked nearly ten million records and earned plenty of anger for an inconsistent and unempathetic response.

Between the Medibank breach, the Optus hack, and some smaller incidents, infosec has dominated Australia's news cycle for almost a month. The heat is on all organizations to get their cybers in order … if they can. ®

Updated at 0355 UTC October 20 to add

Medibank has posted another filing [PDF] in which it states the situation is now as follows:

  • Medibank has been contacted by a criminal claiming to have stolen 200GB of data.
  • The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.
  • That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
  • This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.
  • The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.

The insurer added that it is still working "to understand what additional customer data has been affected" and has started contacting affected customers "to inform them of this latest development, and to provide support and guidance on what to do next."

More about


Send us news

Other stories you might like