Hackers have accessed millions of medical records at one of Australia’s largest private health insurers, the company said on Wednesday, urging the government to admit the country’s cyber defenses were “inadequate”.
This was the latest in a series of hacks that targeted millions of people and exposed Australian companies’ lax approach to cybersecurity.
Medibank CEO David Koczkar said information on each of the company’s 3.9 million policyholders — about 15 percent of Australia’s population — had been compromised.
“Our investigation has now revealed that this criminal accessed all of our private health insurance customers’ personal information and significant amounts of their health insurance records,” he said in a statement to the Australian Stock Exchange.
“This is a terrible crime. This is a crime designed to cause maximum harm to the most vulnerable members of our community.”
The cyber attack was uncovered last week, but until now it was not known how many people were affected.
The hackers have previously threatened to leak the data, starting with 1,000 famous Australians, unless Medibank pays a ransom.
Medibank also confirmed on Wednesday that it has no insurance against cyberattacks and estimates the hack could cost the company up to Au$35 million ($22 million).
The Medibank hack followed an attack on telecom company Optus last month that exposed the personal information of around nine million Australians – almost a third of the population.
The Optus attack was one of the largest data breaches in Australian history.
– “Insufficient” –
Australia’s Attorney General Mark Dreyfus has previously accused companies of hoarding sensitive customer data they don’t need.
Businesses are currently facing ridiculous fines – A$2.2 million – for failing to protect customer data.
Dreyfus said last week those fines would be increased to A$50 million.
“Unfortunately, significant data breaches in recent weeks have shown that existing protections are inadequate,” he said.
“It is not enough that a penalty for a major data breach is considered a cost of doing business.”
Home Secretary Clare O’Neil said on Tuesday the aftermath of the Medibank hack was “potentially irreparable”.
“One of the reasons the government is so concerned about this is the nature of the data,” she told the Australian Parliament.
“When it comes to Australians’ personal health information, the damage here is potentially irreparable.”
O’Neil has previously referred to hacking as a “dog act” – an Australian term reserved for something particularly shameful or despicable.
