About 4M Australians Affected by Extortion Demand Made Against the Health Insurer
Fallout from the hack of Australian health insurer Medibank continues to worsen as the company twice this week acknowledged a wider set of affected individuals.
The company, the country’s largest provider of private health insurance, announced Thursday that the data of patients who used a South Australian home hospital service have been caught up in the data breach, which has turned into an extortion demand from a ransomware attacker.
Patients in Adelaide and surrounding areas who used the “My Home Hospital” service provided jointly by Medibank with another organization at the very least had the confidentiality of their data breached. Medibank is till determining whether hackers also downloaded data.
The disclosure came just a day after Medibank revealed hackers had access to an even wider set of data than previously understood. In addition to personal data and significant amounts of health claims data from the company’s ahm-branded insurance and its portfolio of international students studying in Australia, hackers were also able to access all of Medibank customers’ personal data as well as large amounts of their health claims data. The company insures 3.9 million individuals.
South Australian government agency Wellbeing SA said it learned that the Medibank breach affected residents late on Wednesday. Anyone who accessed the home care service for the first time after Oct. 12 is not affected by the breach, both Medibank and Wellbeing SA say.
Wellbeing SA Chief Executive Lyn Dean told ABC Radio that the number of affected individuals is about 4,400 patients.
Dean did not confirm what data is potentially compromised but said “it was the reporting portal that was accessed” and that means personal and medical data – such as name, address, reasons for admission and what treatments are being undergone – was compromised.
Hackers Had Complete Access
The steady tempo of worsening announcements from Medibank is a reversal of the company’s initial prognosis of its Oct. 12 cyber incident. The company at first told Australians it had found no evidence of data being accessed (see: Australian Insurer Back Online After Cyberattack).
That turned into an acknowledgment that Medibank had received an extortion demand from a hacker claiming to have downloaded 200 gigabytes of internal data. A sample of 100 records provided by the hacker includes diagnostic codes, full names and addresses, and the location of medical service delivery, the company said Oct. 20.
Australian Federal Police is treating the cyberattack as a crime, Minister for Home Affairs Clare O’Neil said last week (see: Medibank Acknowledges Data Breach Including Medical Data).