Smartphone apps and customer reward programs have proliferated in Australia’s health insurance industry as funds seek to offer more value to attract and retain policyholders.

Such strategies have been used for years by Australia’s big retailers – Myer One, Woolworths Everyday Rewards and Qantas Frequent Flyer, for example – to gain greater insights into customer behaviour and bolster revenue, including through target marketing.

But the Australian Competition & Consumer Commission has warned health insurers that they must be “alive to the highly sensitive nature of the personal information they may be collecting and using”, particularly in the wake of the Medibank attack – Australia’s biggest cyber heist.

The regulator also warns that data harvested from wellness apps and rewards schemes could be used for other purposes – including health funds sharing or selling it to third parties.

“Insurers have continued to develop new schemes and build on existing programs which may allow them to access, use and in some cases share consumers’ personal information,” the ACCC said in a report to the Senate.

“A recent cybersecurity incident impacting Medibank also highlights the risks that arise when businesses collect large amounts of sensitive data. Insurers should weigh up these risks when considering new measures to collect consumer data, and should have sufficiently robust measures in place to protect against cybersecurity threats.”

The ACCC said it was also concerned that while Australia’s community rating system bans health funds from charging different private health insurance premiums to individual consumers based on health and other factors, consumer data collected by wellbeing apps and rewards schemes could be used for various other purposes.

“These purposes could include targeted marketing – including from third parties – and creation of insights that could be shared with or sold to third ­parties.”

Health and wellness has come into focus in the past few years as Covid-19 has up-ended the way we live, work and play.

Actor Chris Hemsworth’s Centr app has a valuation of $US200m ($294.3m) after being bought by HighPost Capital, led by David Moross and Mark Bezos – the brother of Amazon billionaire Jeff Bezos.

Meanwhile South Australia’s Kayla Itsines and Tobi Pearce sold their Sweat app to US software giant iFit Health & Fitness for $400m last year, and Richmond AFL star Dustin Martin has begun sharing training and mindfulness tips via his own app, Drip. Health funds have capitalised on the boom. Early in the pandemic, Bupa offered its members three months’ free access to former Bachelor star Sam Wood’s fitness program – with the aim of keeping people out of hospital and avoiding expensive claims, while creating more customer value.

Medibank created its own Live Better app in 2019 and has about 500,000 members. It has a platform offering rewards to members who complete health initiatives, including Covid-19 vaccination, blood pressure and skin checks. But the amount of data companies collect and retain has been questioned after Russian hackers infiltrated Medibank’s customer database in October and published the information on the dark web in folders with labels relating to pregnancy termination, drug and alcohol abuse and treatment for mental health conditions.

Medibank says by law it must retain customer data for seven years for adults and up to 25 years for children, meaning almost 10 million current and former policyholders were exposed during the cyber attack – emails were even sent to dead people, warning that their Medibank information may have been stolen.

The Australian parliament last week increased the maximum penalties for serious or repeated privacy breaches from the current $2.22m penalty to whichever is the greater of $50m, three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

Attorney-General Mark Dreyfus and Home Affairs Minister Clare O’Neil said in a joint statement that “the government has begun work on a new cyber strategy for the nation”.

“This will drive a whole-of-nation effort to counter cyber threats. After a wasted decade for digital reform, the Australian government is stepping up on cyber security and ransomware,” Mr Dreyfus and Ms O’Neil said.

Cyber criminals are becoming increasingly sophisticated in their assaults, with Texas-based Zimperium – which provides security for the mobile devices of US troops and was formerly backed by Telstra Ventures — identifying a raft of new malware threats.

On Friday, Zimperium announced it had uncovered a “schoolyard bully trojan” that has been stealing Facebook credentials from unsuspecting users since 2018. Zimperium director of mobile threat intelligence Richard Melick said the Trojan was detected in numerous educational applications on the Google Play store.

“Attackers can cause a lot of havoc by stealing Facebook passwords. If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information,” Mr Melick said.

“It’s also very concerning how many people reuse the same passwords. If an attacker steals someone’s Facebook password, there’s a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more.”

More Coverage

Medibank facing huge fines as hackers dump and run

Jared Lynch, Joseph Lam

ACCC warns of higher health premiums

Jared Lynch

Originally published as Cyber risk in data honeypots from health insurance app craze: ACCC