Medibank decides not to pay ransomware over data breach where 10 million customers personal information has been compromised

November 7, 2022 |

This morning Medibank released a detailed statement of more details of the personal information taken through the data breach and what it will and will not be doing.  As with Optus Medibank is slowly beginning to follow the appropriate procedure long adopted by large companies in the United States.  Unfortunately both Medibank and Optus were slow to advise customers of the data breach, wretchedly slow to provide details, reluctant to offer assistance, did not publicly advertise the external help they were engaging and had dreadful media interviews.  Time is of the essence in responding on all levels to a data breach.  Having a proper and well rehearsed data breach response plan is critically important.  

In short Medibank has determined that;

  • the hackers accessed personal information of 9.7 current and former customers broken down into the following categories:
    • 5.1 million Medibank customers,
    • 2.8 million ahm customers and
    • around 1.8 million international customers
  • the personal information was:
    • the name,
    • date of birth,
    • address,
    • phone number and e
    • mail address.
    • Medicare numbers (but not expiry dates) for ahm customers
    • passport numbers (but not expiry dates) and visa details for international student customers
  • the hackers accessed health claims data for around:
    • 160,000 Medibank customers,
    • around 300,000 ahm customers and
    • around 20,000 international customers.
  • the health claim data included:
    • service provider name and location,
    • where customers received certain medical services, and
    • codes associated with diagnosis and procedures administered.
    • contact details of  around 2,900 next of kin of these patients
  • the hackers accessed health provider details, including names, provider numbers and addresses
  • the hackers did not access credit card and banking details
    • Medibank will not pay a ransom.

The media statement is designed for the market and government, not customers.  It is long, probably overlong, detailed and covers a large number of issues.  A lot of what is being proposed should have already been done. 

The media statement provides:

Medibank is committed to taking decisive action to protect our customers, our people, and the community in relation to the cybercrime perpetrated against its customers last month.

Medibank CEO David Koczkar said we again unreservedly apologise to our customers and recognise the distress this cybercrime has caused.

Medibank has today announced that no ransom payment will be made to the criminal responsible for this data theft.

Mr Koczkar said: “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event,” he said.

This decision is consistent with the position of the Australian Government.

Based on our investigation to date into this cybercrime we currently believe the criminal:

    • Accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
    • Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
    • Accessed Medicare numbers (but not expiry dates) for ahm customers
    • Accessed passport numbers (but not expiry dates) and visa details for international student customers
    • Accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
    • Accessed health provider details, including names, provider numbers and addresses
    • Did not access health claims data for extras services (such as dental, physio, optical and psychology)
    • Did not access credit card and banking details

Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal.

Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.

“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Mr Koczkar said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” he said.

Medibank continues to work with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police.

Normal business operations have been maintained during this cybercrime event with customers continuing to access health services. No further suspicious activity inside our systems has been detected since 12 October 2022.

Medibank has prioritised preventing further unauthorised entry to its IT network and is continuing to monitor for any suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties.

Medibank has drawn on multiple sources of data across its systems to reconstruct what we believe the criminal accessed, to determine the customer impact. This complex process involved our people analysing millions of records across numerous applications and matching customer data from multiple sources.

Medibank is required by law to retain certain customer (including former customer) information for particular periods of time, generally for 7 years from when a customer leaves us, but in some instances longer.

Supporting our customers

We will continue to inform affected customers of what data we believe has been accessed or stolen and provide advice on what they should do. This will be done via email or letter and in some cases via phone.

We have expanded our dedicated Cyber Response Support Program for our customers to now include:

    • A cybercrime health & wellbeing line (1800 644 325) – counsellors that have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained to support victims of crime and issues related to sensitive health information
    • Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
    • Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
    • Personal duress alarms – for customers particularly vulnerable and/or with safety risks

The program already includes:

    • Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 41 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for MHH patients)
    • Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
    • Free identity monitoring services for customers whose identity has been compromised as a result of this crime
    • Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime
    • Specialised teams to help our customers who receive scam communications or threats

To further assist our customers, we’ve extended call centre hours and created dedicated specialist teams to support customers.

Reach out for support

We understand this crime will be distressing for many of our customers.

Customers should reach out for support if they need it from:

    • Medibank’s Mental Health Support line on 1800 644 325 (Medibank international students call 1800 887 283 and ahm international students call 1800 006 745)
    • Beyond Blue (1300 224 636 / beyondblue.org.au)
    • Lifeline (13 11 14 / lifeline.org.au)
    • Their GP or other relevant health professional

Remaining vigilant

Medibank recommends being vigilant with all online communications and transactions including:

    • Being alert for any phishing scams via phone, post or email
    • Verifying any communications received to ensure they are legitimate
    • Not opening texts from unknown or suspicious numbers
    • Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available
    • Medibank will never contact customers asking for password or sensitive information

If you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website.

If you wish to report a scam or a vulnerability, go to ScamWatch.

Regular updates will continue

As we have worked through this cybercrime, Medibank has committed to being transparent as events unfold and more is understood, including how that could impact our customers, our people, and the broader community.

Our investigation is ongoing, and our understanding of this crime continues to evolve. Medibank will continue to provide updates as information becomes available and is verified.

Customers are also able to access updates at www.medibank.com.au/cybersecurity.

This page will feature our latest announcements, along with answers to frequently asked questions and further details regarding our Cyber Response Support Program.

Australian Government investigation and support

The Australian Government has activated the National Coordination Mechanism to bring together agencies across the Australian Government, states and territories.

Medibank is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police. The Australian Federal Police continues their criminal investigation.

Medibank thanks the Australian Government and its agencies for their ongoing support and assistance during what continues to be a difficult time for our customers and our people.

Medicare card replacement and protection

Services Australia has controls in place to prevent Medicare numbers being used for identity theft. Customers can replace their Medicare card through myGov or the Express Plus Medicare mobile app.
Find out more at www.servicesaustralia.gov.au/medicarecard.

External review

In addition to its ongoing forensic investigations, Medibank will commission an external review to ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers.

Medibank will announce more details of this review in the near future.

Medibank commits to sharing the key outcomes of the review, where appropriate, having regard to interests of its customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

The coverage of the statement has been prompt and extensive.  The ABC has reported on the release in Medibank refuses to pay ransom for hacked data as affected customer number doubles, the Sydney Morning Herald in You can’t trust a criminal’: Why Medibank won’t pay cyber ransom and Medibank says it won’t pay ransom.

The Australian covers it with Medibank will not pay cyber ransom after 10m customers compromised which provides:

Medibank will not pay any ransom demand for the data theft that affected nearly 10 million of its current and former customers, and will commission an external review into the massive breach.

The insurance giant’s CEO David Koczkar says no ransom payment has been made to the criminal, a position consistent with the federal government’s advice to not pay cyber ransoms.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Mr Koczkar said in a statement on Monday morning.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

“It is for these reasons we have decided we will not pay a ransom for this event.”

The hacker had said they would sell the stolen data unless Medibank paid a ransom, also threatening to release health record of 1000 high-profile customers including celebrities and bloggers.

Medibank confirmed 5.8 million former customers have had their data exposed by the breach last month in addition to all 3.9 million of its current customers.

Mr Koczkar said investigations into the incident showed the criminal accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.

The criminal also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

Some 5,200 My Home Hospital (MHH) patients also had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.

Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers were not accessed, but Medicare numbers (but not expiry dates) for ahm customers were caught up in the breach as were passport numbers (but not expiry dates) and visa details for international student customers.

 

Health claims data for extras services (such as dental, physio, optical and psychology) were not accessed, nor were credit card and banking details, the company said.

“Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal,” the company said.

“Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.”

As The Australian previously reported, the criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Mr Koczkar said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.”

Medibank confirmed no credit card or banking details had been exposed.

Medibank shares are down 20 per cent over the past month, and last traded at $2.82.

 

 

Leave a Reply





Verified by MonsterInsights