As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community.
This cyber incident is now the subject of an investigation by the Australian Federal Police.
We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them.
Here is what we can currently share
Medibank has been contacted by a criminal claiming to have stolen 200GB of data.
The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.
That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.
The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.
What we are doing now
Medibank teams continue to work around the clock to understand what additional customer data has been affected, and how this will impact them.
This morning we will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next.
We expect the number of affected customers to grow as the incident continues.
We will continue to contact affected customers.
Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au
As always, Medibank will never contact customers requesting passwords or other sensitive information.
We understand that this development will be upsetting.
To reduce wait times for our customers, we have redeployed our people to support new cyber response hotlines in our call centres.
Medibank and ahm customers can contact us by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.
Our customers can also speak to Medibank’s experienced and qualified mental health professionals 24/7 over the phone to discuss any mental health questions or issues.
Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly.
Medibank will not hesitate to take decisive action to safeguard our customers and our people. Our ongoing response to protect our networks and systems may cause necessary temporary disruptions to our services.
In addition to supporting the Australian Federal Police’s criminal investigation, Medibank is working with specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.
Medibank will continue to provide regular, transparent updates.
Medibank CEO David Koczkar said
“I unreservedly apologise for this crime which has been perpetrated against our customers, our people, and the broader community.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment.
“This cybercrime is now the subject of an investigation by the Australian Federal Police.
“We will learn from this incident and will share our learnings with others.
“Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.”
A trading halt in Medibank shares will continue until further notice.
This announcement has been authorised for release by The Board.