While it was initially believed it was only customers with ahm and international students policies, the insurance company has now said all customers were impacted by the hack.

The hacker has accessed very specific claims data which could include the medical conditions customers have been diagnosed with and treatments they were prescribed.

HERE IS WHAT AFFECTED CUSTOMERS CAN DO

• Replace their Medicare card, which can be done online through MyGov.
• If they are concerned their identity has been compromised or they have been a victim of a scam, contact their bank immediately and call IDCARE on 1800 595 160.
  
• If they believe there’s been unauthorised activity using their Medicare number, they can call Service Australia’s Scams and Identity Theft Help Desk.
  
• Secure their devices and monitor their devices and accounts for unusual activity, and ensure they have the latest security updates.
• Enable multi‑factor authentication for all accounts.
• Be alert for scams referencing Medibank Private.
• All Medibank and ahm customers can contact their cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.
• Customers can also speak to Medibank’s mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).
• Utilise a Medibank cybercrime customer support package set up for affected customers (it includes financial support, access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for reissue of identity documents)

“We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” a statement from Medibank said.

“As a result, we expect that the number of affected customers could grow substantially.”

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

Medibank chief executive David Koczkar apologised again for the impact on customers.

“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” he said.

The insurance company confirmed the hack has not impacted customer access to health services and so far its IT systems have not been encrypted by any ransomware.

In response to the attack, they have bolstered existing monitoring, added further detection and forensics capability across their systems and scaled up analytical support via specialist third parties.

During a meeting on Tuesday, Medibank’s board advised it will withdraw the company’s 2023 Financial Year outlook for policyholder growth.

Medibank shares dived to a 17-month low of $2.95 on Wednesday morning.

The insurance company estimated that – given it does not have cyber insurance – the cyber crime event will come at a cost of between $25m and $35m for investors.

This does not include any costs accrued in remediation or legal fees.

Medibank will provide an update on the hack investigation at its Annual General Meeting on November 16.

More related stories

NewsWire

Alfred impact sends reigning premiers south

After flooding forced the NRL’s Gold Coast Titans out of their training venue the AFL reigning premiers have had to leave their Brisbane training base to find better training conditions.

Read more

NewsWire

Hidden killer lurking in floodwaters

Medical experts have warned residents of a deadly disease lurking in floodwaters and the air that has already claimed almost 20 lives.

Read more