While it was initially believed it was only customers with ahm and international students policies, the insurance company has now said all customers were impacted by the hack.

The hacker has accessed very specific claims data which could include the medical conditions customers have been diagnosed with and treatment they were prescribed.

“We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” a statement from Medibank said.

“As a result, we expect that the number of affected customers could grow substantially.”

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

Medibank chief executive David Koczkar apologized again for the impact on customers.

“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” he said.

The insurance company confirmed that the hack has not impacted customer access to health services and so far their IT systems have not been encrypted by any ransomware.

In response to the attack they have bolstered existing monitoring, added further detection and forensics capability across their systems and scaled up analytical support via specialist third parties.

A support package for affected customers will include free identity monitoring and financial and mental health support.

During a meeting on Tuesday, the Medibank Board advised that they will withdraw their 2023 Financial Year outlook for policyholder growth.

Medibank shares dived to a 17-month low of $2.95 on Wednesday morning.

The insurance company estimated that – given they do not have cyber insurance – the cyber crime event will come at a cost of between $25 and $25m for investors.

This does not include any costs accrued in remediation or legal fees.

Medibank will provide an update on the hack investigation at their Annual General Meeting on 16 November.

WHAT AFFECTED CUSTOMERS CAN DO

• Replace their Medicare card, which can be done online through MyGov
• If they are concerned their identity has been compromised or they have been a victim of a scam, contact their bank immediately and call IDCARE on 1800 595 160.
  
• If they believe there’s been unauthorised activity using their Medicare number, they can call Service Australia’s Scams and Identity Theft Help Desk
  
• Secure their devices and monitor their devices and accounts for unusual activity, and ensure they have the latest security updates.
• Enable multi‑factor authentication for all accounts.
• Be alert for scams referencing Medibank Private
• All Medibank and ahm customers can contact our cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates
• Customers can also speak to Medibank’s mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325)
• Utilise a Medibank cybercrime customer support package set up for affected customers (it includes financial support, access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for re-issue of identity documents)

Originally published as Medibank reveals hacker has access to 3.9 million customers’ personal data