It has been confirmed by Medibank that the criminal behind its cyber breach had access to the data of all 4 million of its customers.
On Tuesday, the company said it suspected this was the case and now has given confirmation that customer personal data as well as “significant amounts” of health claims data has been exposed.
A statement from Medibank said its investigation into the cybercrime established the criminal had accessed the personal data of all Medibank, ahm and international student customers.
Personal information includes name, date of birth, address and some Medicare card numbers.
It is expected that the number of people affected will continue to grow significantly, with an unknown number of former customers also impacted in addition to the 4 million currently with Medibank.
People no longer with Medibank can also be affected by the breach because state and territory health record laws require the company to keep information of past adult customers for seven years.
Medibank announced a support package for those affected that includes financial support for those in a “uniquely vulnerable position” because of the hack and customers getting reimbursed for the costs of re-issuing identity documents that have been compromised.
“As previously advised, we have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data,” the statement said.
“As a result, we expect that the number of affected customers could grow substantially.
“Our priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know.”
Given the medical information involved, experts say this is an even worse breach than the one Optus suffered in September.
Clare O’Neil, the Minister for Home Affairs and Minister for Cyber Security called the hack of private health information “a dog act”.
“It is scum of the earth, lowest of the low territory,” she said to Question Time.
Medibank is working with the federal government, the Australian Federal Police, and the Australian Signals Directorates cyber security centre in response to the hack.