The future of Medibank Private is in doubt after it revealed the biggest shock so far in its cyberhacking scandal – that hackers accessed personal information and sensitive health data on all 4 million of its customers, as well as on an unknown number of former customers.
This news of an escalation of the data breach raises questions about whether Medibank Private is a viable company if all its patients’ identities and other data is now in the hands of the hackers.
This revelation means there are now millions of people who have had their details from both Optus and Medibank Private hacked, a terrible situation for all those concerned.
Shares in the nation’s largest health insurer plunged as much as 18% to a low of $2.87 after they resumed trading on the ASX yesterday,
It was the first time the shares have traded since the company confirmed last week that customer data had been accessed.
While $2.87 is the lowest the shares have been since early 2021, the fact that they didn’t fall even further could perhaps be interpreted as optimism among investors that the company can survive this crisis without considerable financial and reputational costs.
From what management told a briefing yesterday, the company still hasn’t a full handle on just how much data was taken.
CEO David Koczkar said told Nine/Fairfax Media that
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.”
“As we’ve continued to say we believe that the scale of stolen customer data will be greater, and we expect that the number of affected customers could grow substantially.”
Medibank, which is Australia’s largest health insurer, had said in a statement on Wednesday morning before the briefing that details of all of its customers – and those of budget arm ahm – had been affected by the breach.
Information access includes personal data and “significant amounts” of health claim information from customers of Medibank, AHM and international students.
“We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” the company said in Wednesday’s statement.
“As a result, we expect that the number of affected customers could grow substantially.”
Medibank had already said on Tuesday that the hack was bigger than it first thought. Wednesday’s announcement was a much more significant escalation of the crisis.
The health insurer has been contacting current and former customers who might have had their personal information stolen in the hack.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data,” Mr Koczkar said on Wednesday.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.”
He again “apologised unreservedly” to the companies’ millions of customers.
“This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” Mr Koczkar said.
Medibank has announced a support package for affected customers that includes:
- Financial support for those who are in a uniquely vulnerable position as a result of this crime
- Access to Medibank’s mental health and wellbeing support line for all customers, including ahm customers
- Access to specialist identity protection advice and resources from IDCARE
- Free identity monitoring services for customers who have had their primary ID compromised
- Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.
It will take months for the financial cost to be established which will have to include remediation to customers.