A cyber criminal group has threatened to release the sensitive health information of Medibank’s high profile and celebrity customers first – but the attack on the company could also mean that data of those who have died may also be publicly distributed.

Medibank – Australia’s biggest health insurer with more than 3.9 million policyholders – has warned current and former customers their personal information is at risk, given it is legally required to retain data for seven years for adults and 25 years for children.

This means that in some cases letters have been sent to customers who have died. One woman said Medibank sent an email to her grandfather, who passed away three years ago to inform him his health information may be compromised.

“Thankfully he passed away in 2019. It would be so hard explaining it to him,” the woman, who The Australian has chosen not to name, said.

Medibank chief executive David Koczkar has “apologised unreservedly” for the attack, which the company disclosed on October 13. And a spokeswoman apologised again to customers on Monday after emails were sent to dead policyholders.

“When we first became aware of this incident we wrote to customers to alert them,” the spokeswoman said.

“In some cases, we will have written to former customers and unfortunately that might mean we have sent communications to some people who have passed away. We understand that receiving such a letter could be distressing to family members and we apologise if we have caused hurt in our efforts to communicate to everyone as quickly as possible.

“We are required by law to retain certain information for particular periods of time – seven years for adults and 25 years for children.”

It comes as Attorney-General Mark Dreyfus said Labor would introduce legislation to increase the maximum fine for serious breaches from $2.2m to at least $50m, following the attack on Medibank and another significant hack on Optus.

Companies could also be fined three times the value of “any benefit obtained” through the misuse of information, or 30 per cent of their adjusted turnover over the period the breach was conducted.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Mr Dreyfus said.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost

of doing business.”

The hackers punctured Medibank’s cyber defence strategy – which is considered best practices and has successfully fended off 250 million attacks known as perimeter attempts a month – to steal “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatment they were prescribed.

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

The attack sent Medibank into two trading halts before the company requested a voluntary suspension from the ASX, which is expected to end on Wednesday when it reveals the latest update on its forensic investigation to determine how the breach happened and what data was stolen.

Already it has confirmed that compromised data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. Medibank also warned that customer credit card security data may also be at risk but it is yet to confirm this information has been stolen.

Australian Federal Police and Australian Signals Directorate officers have been stationed at Medibank to assist with the investigation, working alongside private security firms.

Late on Thursday, the Office of the Australian Information Commissioner also said it had begun making “preliminary inquiries” with Medibank to ensure it complied with data breach and retention laws.

A study from corporate advisory firm McGrathNicol has found most companies are bypassing negotiations, paying cyber criminals a ransom and often within 24 hours to mitigate reputational damage from a breach.

The McGrathNicol survey – which included more than 500 business owners, directors and executives who employ more than 50 people – found 69 per cent of companies have suffered a cyber attack in the past five years. This compares with 31 per cent in 2021.

It also found most executives are willing to pay almost double the ransom they were a year ago – with the average payment totalling $1.28m – to stop a cyber attack.

More related stories

Companies

Four million Aussies to benefit as Bupa and Healthscope end war

More than four million Bupa customers can continue to use Healthscope hospitals on a fee-free basis after the companies ended a months-long stand off. But others aren’t so lucky.

Read more

Business

Companies surfing on the crest but waves eventually dump

Companies are generally riding high on the sharemarket’s returns, which is why corporate Australia needs to show some earnings growth in the reporting season or see stock prices hammered.

Read more