Medibank has revealed the data hack of its network has exposed all 3.9 million of its customers, with personal health information and Medicare numbers breached.

And the cyber attack is expected to cost Medibank, which does not have cyber insurance, between $25m and $35m, not including potential customer remediation, or litigation related costs.

The health insurer revealed on Wednesday morning that the criminal behind the breach had access to all of Medibank’s ahm customers, international students and Medibank customers’ personal data and significant amounts of health claims data.

“As previously advised, we have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially,” Medibank said in a statement.

“Medibank has announced a support package for affected customers which includes a hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, Access to Medibank’s mental health and wellbeing support line for all customers and access to specialist identity protection advice and resources.”

Free identity monitoring services for customers who have had their primary ID compromised and reimbursements for the replacement of identity documents will also be offered.

“To date, Medibank’s IT systems have not been encrypted by ransomware,” Medibank said.

“Normal business operations have been maintained with customers continuing to access health services.”

Attack a ‘terrible crime’

Medibank has withdrawn guidance on policyholder growth as it warns a cyber attack on the company is likely to cost tens of millions and send shares into a tailspin.

Medibank is Australia’s biggest health insurer and because it did not have cyber insurance, investors will have to foot the bill for the attack.

Medibank shares dived as much as 16 per cent to a 17-month low of $2.95 on Wednesday morning.

It is expecting the number of customers who have had their medical records and other personal data stolen to “grow substantially” after criminals hacked into all the company’s brands via a Russian online criminal forum.

Chief executive David Koczkar said the attack was a “a terrible crime”

“This is a crime designed to cause maximum harm to the most vulnerable members of our community,” he said.

“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data. The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.

Mr Koczkar withdrew policyholder guidance on Wednesday after warning last week that he did not expect the breach to derail Medibank’s earnings, citing the “uncertain impact of this cybercrime event”.

Instead, Medibank will provide another trading update at its half-year financial results in February.

“This cybercrime event continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation related costs.”

On Tuesday, Medibank said it has deferred premium increases after confirming its cybercrime event included theft of Medibank customer data as well as that of ahm and international students. The deferments are estimated to cost the company north of $50m.

The criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

Hackers after ‘very specific’ data

The hackers punctured Medibank’s cyber defence strategy – which is considered best practices and has successfully fended off 250 million attacks known as perimeter attempts a month – to steal “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatment they were prescribed.

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

On Monday, Medibank apologised to customers after the health insurer sent letters to their dead relatives saying their medical records and other personal data may have been stolen in a cyber attack.

It comes as net resident policyholder growth in the three months to September 30 was 14,600. This represented growth of 3.2 per cent on an annualised basis - above Medibank’s previous guidance of about 2.7 per cent, which it said assumed a “modest decline in industry participation growth in FY23 relative to FY22”.

The company, which has a market value of $9.65bn, said its underlying net claims expense continued to track below the FY23 outlook of 2.3 per cent.

“This has resulted in further permanent net claims savings due to Covid-19 of approximately $62m and these savings will offset the cost of the deferral of premium increases for Medibank and ahm.

“As at September 30 2022, our health insurance capital ratio was 13.4 per cent, and unallocated capital was approximately $150m.”

Opposition cyber security spokesman James Paterson said “this is the absolute worst case scenario and customers will rightly anger Medibank customers”.

More related stories

News

Meghan Markle’s favourite face gym is opening in Australia, Greta Thunberg publishes Andrew Tate’s contact details

All the news that's fit to mint.

Read more

News

Emily Ratajkowski joins the competitive world of online dating, Nick Kyrgios quits at the last minute

All the news that's fit to mint.

Read more