Medibank is contacting customers who left the health insurer years ago, saying their data – including their claims history – may have been stolen in a cyber attack, prompting further calls to change laws about how long companies can retain personal information.

A group of hackers has approached Medibank – Australia’s biggest health insurer with more than 3.9 million members – demanding a ransom after it claimed to have stolen 200GB of personal data. The company said the “criminal” had provided a sample of 100 policies, which is understood to have come from its AHM and international student systems.

Medibank said on Thursday that Australian Federal Police were investigating the cyber attack, with data stolen including names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.

“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Medibank said.

“We expect the number of affected customers to grow as the incident continues. We understand that this development will be upsetting.”

Ms O’Neil said the ransom threat against Medibank was credible, with the Australian Federal Police and Australian Signals Directorate officers stationed within Medibank to limit the fallout.

“Financial crime is a terrible thing, but ultimately a credit card can be replaced,” Ms O’Neil said.

“The threat that is being made here, to make the private, personal health information of Australians available to the public, is a dog act.”

Some customers were perplexed to receive an email from Medibank chief executive David Koczkar, informing them of the potential theft, given they had left the insurer years ago.

Medibank says it must retain data for seven years under certain legal requirements, while for children they need to retain their health information until they are 25.

Attributed to the group – but unverified – are threats to sell the information to third parties and to contact Medibank customers directly to authenticate that the data has been accessed. Because Medibank is a health insurer, it collates large amounts of data including on the health of customers.

Mr Koczkar said he “unreservedly apologies for this crime”.

“I know that many will be disappointed with Medibank and I acknowledge that disappointment,” he said.

“We will learn from this incident and will share our learnings with others. Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.”

Attorney-General Mark Dreyfus says the government is considering introducing new laws to prevent companies holding private information longer than necessary – with the Medibank attack the third breach to hit a major Australian company in the past month.

In a letter to customers, Mr Koczkar said data protection “remains our priority” and it was “working urgently” to establish if the hacking group’s claim is true.

“Based on our ongoing forensic investigation we are treating the matter seriously at this time,” Mr Koczkar said in the letter.

“I understand that this may cause you some concern, and I apologise. I want to assure you that the protection of your data remains our priority.

“Our systems have not been encrypted by ransomware, which means usual activities for customers continue. However, our ongoing response to safeguard our networks and systems may require necessary temporary disruptions to our services.”

But privacy and cyber experts say there are steps companies can take to make sure they aren’t creating a honeypot of data for hackers.

Professor Carsten Rudolph of Monash University’s Department of Software Systems and Cybersecurity said companies needed to consider a two pronged approach – holding not as much personal data and de-identifying that information.

Further, he said customers should be empowered to force the deletion of their personal information.

“We need to move beyond thinking about how we protect critical data sets to a strategy of data minimisation,” Professor Rudolf said.

“For a health insurer, this would mean to critically analyse what data is actually required to deliver the service. Which type of data needs to be readily available? What data can just be used for a shorter process without actually retaining it.

“Further, critical customer health information should either not be stored by an insurer at all, or if it is required, it should not be easy to link it to the customer’s identity.”

Professor Rudolf said personal information could also be encrypted so that the number of data requests could be controlled and stop malicious activities for a complete database is “syphoned off”.

“We should also review data sharing approaches. Currently, data sharing protocols as enabled through the Consumer Data Right framework do not give consumers the option to decide how long their data is stored,” he said.

“It merely requires the company to seek sharing permissions and then the consumer can either give consent or decide for their data not to be shared. Consumers should be empowered to make informed decisions, customise sharing permissions and should be able to enforce the deletion of data.”

Matt Boon, senior director at Australian tech research and advisory firm ADAPT, said Medibank faced a “no-win situation” in dealing with the hacking group and paying a potential ransom.

“Companies that opt to pay ransoms to attackers risk making a rod for their own backs by signalling they’re a soft target, while at the same time, refusing to pay might be seen as the company not making every effort to protect customer data,” Mr Boon said.

“That said, they may have no choice but to bow to immense pressure from the public and the Government to retrieve the information at any cost. Medibank’s efforts to minimise the potential damage of this breach and communicate to its customers the impact on them in a clear, constructive way in the coming hours and days is vital to maintaining their trust”.

Medibank told the ASX last Thursday that it had detected “unusual activity in its network”, but added there was no evidence any sensitive data had been taken. It repeated that assurance in a statement on Monday before it revealed it had been approached by the hacking group on Wednesday, forcing it into a trading halt.

At the time, it disclosed unusual activity in its AHM and international student policy management systems, which were taken offline as a precaution.

The trading halt will continue until further notice, and the company has advised the cyber security agencies.

The breach would be the third to affect a major local corporation since September. Information relating to almost 10 million Optus customers – including some Medicare numbers – was accessed last month, and the telco has brought in Deloitte to conduct an investigation into its security systems.

More Coverage

Hackers make ransom demand to Medibank

JARED LYNCH

‘No evidence’ of breach as Medibank restores systems

Jared Lynch

Originally published as Cyber security minister Clare O’Neil brands Medibank hack a ‘dog act’, warning of ‘irreparable harm’