Medibank has published a granular analysis of what data was impacted and for which customers as a result of last month’s cyber attack, and says it won’t pay a ransom to the attackers.
In a statement to the ASX, Medibank said that for around 9.7 million customers (5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers), the attackers accessed name, date of birth, address, phone number, and email address.
Medicare numbers, but not expiry dates, were accessed for ahm customers.
Medibank said it doesn’t collect primary identity documents for Australian residents “except in exceptional circumstances”, so Medibank and ahm customers did not have those exposed.
International student customers had passport numbers (but not expiry dates) and visa details accessed, Medibank said.
The company also provided granular information on customers who had their health care information exposed.
Around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers had health claims data accessed, including provider name and location, and procedure and diagnostic claim codes.
Around 5200 My Home Hospital patients had “some personal and health claims data” breached, and some contact details were exposed for 2900 of those patients’ next of kin.
“Extras” – dental, physio, optical and psychology for example – were not exposed.
Medibank CEO David Koczkar said the insurer had resolved not to pay any ransom demands.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.
“It is for these reasons we have decided we will not pay a ransom for this event.”
Koczkar said the insurer would continue to offer support to individuals caught up in the hack, covering “mental health and wellbeing support, identity protection and financial hardship measures.”
“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” he said.
Medibank continues to work with the Australian government, including the Australian Cyber Security Centre and the Australian Federal Police.