Medibank confirms hacker had access to data of all 3.9 million customers

Medibank has revealed all of its 3.9 million customers have had their data exposed to a hacker, in a significant escalation of the cyber-attack on the Australian health insurer.

The personal information includes name, address, date of birth, some Medicare card numbers and gender. The health information includes the claim codes made by customers.

Medibank still cannot say definitively how many or which customers are affected beyond the 1,000 records provided to the insurer by the hacker in the past two weeks. It is through this communication with the hacker that Medibank has been able to determine the extent of the breach so far.

The breach will also affect former customers, with Medibank confirming yesterday that state and territory health record laws require the company to keep data for seven years.

The hack is likely to cost the company a minimum between $25m and $35m, Medibank said. This is due to Medibank not having cyber-attack insurance, and this estimated cost does not include customer compensation or regulatory or legal costs that may be brought against the company.

He said the information the company has been able to obtain about the attack has been through communications with the hacker, who showed evidence of records obtained.

In a statement to the stock exchange, Koczkar apologised unreservedly to customers.

Medibank announced on Tuesday it would delay premium increases for all customers until the end of January 2023. On Wednesday, the company said this would cost around $62m, which would be offset by savings the company has made during the Covid-19 pandemic.

The hack is under investigation by the Australian federal police.