Attorney General receives the review of the Privacy Act by the Attorney General’s Department after three long years.

December 21, 2022

The reviews, as in many, of the Privacy Act 1988 have been a lesson in what not to do when reviewing legislation.  The Federal Government’s response to the 2008 Australian Law Reform Commission Report was modest, selective, incomplete and largely a failure of public policy.  The amendments to the Act, which took effect in 2014, did not go very far.  The Government commissioned yet another  review in 2013, which reported in 2014, did not materially advance the findings contained in the 2008 Report.  The Government did not accept the recommendations but rather, in 2019, commenced yet another review, this time by the Attorney General’s Department.    

Innovation AU in Privacy Act Review complete after three years reports that the Attorney General has the product of the Review.  It appears that the Government is on track to release the Report with a view to amending the Privacy Act some time in 2023.    

The article Read the rest of this entry »

Another expose about abuse of the Victorian Police LEAP database, involving litigation this time and yes, another call for an inquiry. A chronic abuse of privacy that stubbornly is not properly addressed.

December 16, 2022

The misuse of the Victorian Police’s database, known as LEAP, has been chronic and systemic for many years.  The reports of those misdeeds by sworn officers are regular.  I posted on them on 9 February 2014 with Leakage of LEAP data an ongoing privacy issue …. for so long. on 18 May 2015 with Another problem with the Victorian Police, the LEAP database and privacy, on 16 October 2016 with Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour,  IBAC released a 33 page report on Unauthorised access and disclosure of information held by Victoria Police.

The key findings of that IBAC report were:

    • Unauthorised access and disclosure of information are key enablers of other corrupt behaviour. These corruption risks are often overlooked as risks by agencies. This is evident in the lower than expected number of reports made to IBAC, and in the behaviours uncovered in investigations undertaken by IBAC and other public sector agencies. It is expected that as the understanding of information misuse as an enabler of corruption increases, this will help detection and investigation by Victoria Police.
    • Unauthorised disclosures to the media is a risk across public sector agencies, including Victoria Police which frequently deals with issues of high public interest. These incidents are difficult to substantiate due to the source of the information leaks often being difficult to identify.
    • Sharing information with approved third parties also presents many corruption risks. Although policies may be in place to control information access and disclosure by third parties, the proactive detection and enforcement of information misuse by agencies owning the information is difficult. This is especially relevant for Victoria Police, which holds significant private personal details about citizens.
    • Increased use of personal devices and smart phones in the workplace has made unauthorised disclosure of information much easier. This is particularly the case for those Victoria Police employees who use their personal mobile phones to conduct their work duties,5 including using cameras to capture evidence or using applications to take notes or recordings.
    • IBAC intelligence suggests information misuse is under-reported across the entire public sector, including Victoria Police. This may be due to it being under-detected, an under-appreciation for information security and privacy rights, or a lack of awareness that information misuse and disclosure may constitute an offence in itself.
    • The number of reports of information misuse made to IBAC related to Victoria Police is higher than from other public sector agencies but is also declining. The higher number of reports may be due to Victoria Police employees and members of the public having a higher level of awareness of the risks related to information misuse, due to the large amount of sensitive information their organisation holds. The declining number of reports over time may reflect under-reporting and the difficulties in detection. A recent spike in reported incidents in 2017-18 may reflect improving information security practices by Victoria Police and its employees.
    • Victoria Police and IBAC often do not detect information misuse until they are investigating other misconduct or corrupt actions. This is partly due to information security systems, which have not been fully developed, and a lack of proactive monitoring and auditing processes in place to detect unauthorised information access.
    • Customised auditing of information access is under-utilised by Victoria Police and its benefits are under-appreciated. A program of proactive, extensive and repeated auditing could be used to identify and deter unauthorised access of information.
    • The introduction in 2016 of the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS) across the public sector is expected to reduce unauthorised information access and disclosure. For Victoria Police, the VPDSS does not represent a materially higher standard for information security than the previous Standards for Law Enforcement Data Security. However the VPDSS represents a shift from prescriptive standards to a more flexible risk-based approach.

It is also relevant to note that the Victorian Information Commissioner, not the strongest or most rigorous privacy regulator, handed down a critical report on the privacy and information handling at the Victoria Police.  The 15 August report, Examination report into privacy and information handling training at Victoria Police published, find that the Victoria Police did not comply with its privacy obligations.  The media release provides:

Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.

On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.

The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).

IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.

During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations.

“In performing its law enforcement functions, Victoria Police collects, manages, and uses sensitive and personal information of Victorians, including delicate information related to some of the most vulnerable members of the community” said Information Commissioner Sven Bluemmel.

“A lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information.”

The examination found that as of February 2022, Victoria Police had not provided any privacy-specific training available for its members for more than a year. The examination also found a lack of resources within its Privacy unit and Education Unit.

While no dedicated privacy training was available to Victoria Police members, there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.

Due to a lack of dedicated privacy training and awareness provided, the examination found that Victoria Police may not be compliant with its obligations under IPP 4.1.

In contrast, the examination found that since the 2016 report of the Royal Commission into Family Violence, Victoria Police has done extensive work on providing family violence training to its personnel, including providing comprehensive guidance about handling information gathered in a family violence context.

Victoria Police’s response to the Royal Commission into Family Violence demonstrates it can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced” said Mr. Bluemmel.

Victoria Police has accepted the findings of the examination and has provided further resourcing to its privacy team. It has also undertaken to review privacy and information handling education annually.

OVIC will continue its engagement with Victoria Police to promote, support, and ensure reasonable steps are taken to protect the personal information of Victorians.

The ABC reports in Victoria Police allegedly use LEAP database to pursue, stalk, harass women prompting calls for inquiry that the problem continues but now legal action is being taken against the Victoria Police.  It provides:

Rachel Wilks was just 15 when Jayden Faure used his position as a police officer to try to pursue a relationship with her. 

Ms Wilks had been assaulted by a family member. She was alone in the city with no phone or train ticket home when she came into contact with police.

“I was in a super vulnerable place,” she said. Read the rest of this entry »

Data breaches come in all shapes and sizes as Telstra’s addition to the hall of infamy reveals. Telstra reveals personal information onto the web through its own technical error

December 13, 2022

Not all data breaches involve criminal acts by hackers breaking into a network and exfiltrating data.  Sometimes an organisation will be reveal data through its own actions.  Telstra has suffered a data breach involving ‘s data breach impacting 132,000.   The breach involved a technical error resulting in it making personal information available on line.  Telstra describes it as a misalignment of databases.  Technical errors of this nature are not inevitable. Poor planning by IT is a common reason, focusing on the end result rather than the protections needed on the way through,  On 31 March 2020, the Federal Court of Australia  made publicly available  the names of details of several hundred people with cases currently or previously in the Court and the Federal Circuit Court (FCC) through the Commonwealth Courts Portal. Anyone visiting the Portal could have accessed the names and details of a person seeking asylum and information about their claim. The data breach was caused by an internal IT error.  The Federal Court should have been investigated by the Information Commissioner.  To its credit it did commission a review by Professor John McMillan in August 2020 which resulted in a 38 page report which was, not unusually for the Australian public service, a mix of polite tut tutting, gentle patting on the back for the work done and anodyne recommendations for improvement.  If the breach had happened in the United States the landing would have been much bumpier.  The Federal Court does have a publicly available data breach response plan.  It is fairly bare boned. One would expect a much more detailed plan to be available within the organisation.

Telstra is something of a frequent flier in the data breach world with a data breach in October 2022 with Australia’s Telstra hit by data breach, two weeks after attack on Optus, in May 2021 with Telstra service provider hit by cyber attack as hackers claim SIM card information stolen, in July 2018 with Telstra customer stumbles across contact details of 66,000 fellow customers,  in 2018 with Medical records exposed by flaw in Telstra Health’s Argus software and in Telstra privacy breach leaves customer’s voicemail exposed amongst other matters. If Telstra was operating in the United Kingdom or United States the regulators would take very strong and very public action.

The ABC has run a reasonably detailed story Read the rest of this entry »

National Institute of Standards and Technology releases Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security

The National Institute of Standards and Technology (“NIST”) released a preliminary public draft of NIST SP 1800-36A: Executive Summary, Enhancing Internet Protocol-Based IoT Device and Network Security.  For a change, pleasant for those overwhelmed by documentation to read, it is quite brief.

The NIST provides excellent guidance on technical issues associated with privacy and data security.  While the publications are not officially required compliance they are hugely influential and far superior to the broad guidance released by privacy regulators in Australia and New Zealand and probably even more effective than those of the United Kingdom’s Information Commissioner who provides comprehensive and detailed guidance documents.

Given the privacy regulation has already been strengthened this year and will be overhauled next year it is important that organisations pay heed to relevant publication produced by the NIST.  Complying with these guidelines would assist an organistion if there is a breach and the Information Commissioner starts investigating, which she now has greater powers to do as well as now having the power to impose fines.  The overseas experience is that commonly poor compliance on general aspects of data handling cause an organisation as many difficulties with regulators as the data breach which attracted the regulators attention.

The abstract provides:

Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one is where a device is convinced to join an unauthorized network, which would take control of the device. The other side is where a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network as part of the network-layer onboarding process. Additional safeguards, such as verifying the security posture of the device before other operations occur, can be performed throughout the device lifecycle. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, recommended practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices. We show how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.

Some of the interesting issues raised by the guidance Read the rest of this entry »

Medibank shuts all branches and goes offline from tomorrow night until Sunday to work on cyber security …the cost of the data breach rises

December 8, 2022

The woes of Medibank continue with it going offline this weekend to revamp/enhance/add data security.  It has put the best spin on it with its media release Medibank to undertake ‘Operation Safeguard’ at the weekend.  What few organisations really appreciate is the very heavy financial cost of dealing with a data breach.  The expense of bringing in experts to manage the immediate crisis becomes an costly exercise in determining the extent of the damage, then staff or consultants to liaise with media and government.  The costs continue with offering support to affected clients/customers/patients and then revamping an organisation’s security network. which is where Medibank finds itself.  Medibank also has to deal with an investigation by the Information Commissioner and a possible class action.

The media release Read the rest of this entry »

To disclose or not disclose a data breach…UK companies fear reporting while a Brooklyn Hospital suffers a backlash because it did not notify about a data breach

December 7, 2022

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

Information Commissioner announces investigation into Medlab over data breach

December 5, 2022

On 27 October 2022 Medlab pathology announced that it had experienced a cyber attack in February 2022. The timing is interesting given the Optus Data notified customers in September about the breach and in October further notifications and advice was provided.  Coincidence.  It is very curious.

In its statement Medlab doesn’t say when the breach was first detected however confirms that the ACSC contacted Medlab in June when it detected data that had been published on the dark web.  Its explanation as to why it did not notify customers until 27 October is general and convoluted to the point of disingenuous. It says that it took several months to download and analyse “what information was and who it belonged ot.”  That is far from best practice and would attract the ire of regulators in England and  the European Union.  Medlab’s statement is not good. It begs many more questions than it answers.  Perhaps it is the best that could be done given the way Medlab handled the breach.

Subsequent to the October announcement there were reports stating that the cyber attack affected 223,000 Australians and:

  • 17,539 individual medical and health records associated with a pathology test;
  • 28,286 credit card numbers and individuals’ names. Of these records, ~15,724 have expired and ~3,375 have a CVV code; and
  • 128,608 Medicare numbers (not copies of cards) and an individual’s name.

The Office of the Information Commissioner undertook preliminary enquiries which is entirely understandable given the size of the breach, the apparent delay in notification and the  sensitivity of the personal information lost.  Those enquiries have led to today’s announcement that it would open a formal investigation.  That is hardly surprising.

Under the legislation an affected organisation has 30 days to notify the Commissioner and clients if there has been a notifiable data breach.  It is critically important to respond efficiently to the data breach.  That means having a plan that can be put in place before suffering a data breach. Trying to understand the law as well as undertake remediation efforts as well as continue to run the business at the time of the data breach is a recipe for poorly thought through actions, missteps and poor outcomes possibly ending up with the regulator investigating.

This may be a very influential investigation in setting parameters as to what reasonable steps are taken to investigate the data breach and notification to customers.  A complicating factor is the likelihood that the data breach notification regime will be overhauled.  It may still be an influential investigation if the Commissioner sets down principles if there is a determination or the court may provide judicial guidance on what reasonable steps constitute Read the rest of this entry »

Re Straightline Construction Co Pty Ltd [2022] VSC 708 (18 November 2022); Application to set aside a statutory demand pursuant to s 459G of the Corporations Act 2001 (Cth) on grounds of genuine dispute, dispute as to the identity of the contracting parties

December 4, 2022

In Re Straightline Construction Co Pty Ltd [2022] VSC 708 the Supreme Court, per Gardiner AsJ, considered an application to set aside a statutory demand on the grounds that the applicant was not a party to the agreement giving rise to a liability which formed the basis of a statutory demand.  This is quite a common issue where parties are involved in the building and construction industry.  It is not uncommon for builders to work through multiple entities, many of whose names are quite similar.   As this case demonstrates, it is not simply enough for the Applicant to allege that the wrong party was served with a demand as another entity was a party to the contract. As this case shows such a contention can be successfully challenged if the respondent has contemporaneous documentation and concessions by representatives of the applicant .

FACTS

 On 9 December 2021, Hansen Yuncken Pty Ltd (‘Hansen Yuncken’), as head contractor, engaged Straightline Civil Pty Ltd (‘Straightline Civil’), as subcontractor, (‘the Hansen Yuncken Contract’) to carry out retention and foundation piling works as part of a large residential construction project at Bills Street, Hawthorn (‘the Project’) [6]

Straightline Construction’s evidence was that:

  • it defined the issue as

[Straightline Construction] disputes that the debt claimed in the Statutory Demand is due and payable, by reason of there being a genuine dispute that the debt is owing as the Company is not the entity which contracted with [Browns] to perform the services detailed in the Invoices, and the debts have not been sufficiently particularised.

  •  Straightline Construction was incorporated in March 2020
  • Straightline Construction performs civil construction works in metropolitan Melbourne, partiuclarly in  Brighton and Clayton
  • there are various ‘Straightline’ entities with different controllers, each having its own role in different projects & that Straightline Construction is not involved in the Hansen Yuncken contract at all [38]
  • where it is said that Browns had dealings with ‘Straightline’ for several years, it was in fact engaged by four separate Straightline entities depending on the project and the entity involved in the Project was Straightline Civil, not Straightline Construction [40].
  • a direction should have been issued to make it clear that invoices were to be issued to Straightline Civil and not Straightline Construction [41] invoices addressed to Straightline Construction should have been requested to be reissued to Straightline Civil.
  • on 20 September 2022, Peter Greenstreet, an Operations Manager of Browns, sent an email enquiring as to whom the invoices for the remaining works on the Project should be issued to & Oltan Yemez, representing Straightline Civil, responded, stating that all invoices should be issued to Straightline Civil [42].
  • an ASIC search of Straightline Civil  records Tarkan Gulenc as the sole director & the correspondence referred to between Mr Gulenc and representatives of Browns confirms that Straightline Civil admits it owes the debt [43]
  • in regard to correspondence relied on by Browns to support their proposition that Straightline Construction owes the debt, the reference to intentions to pay  does not refer to Straightline Construction being liable to pay the debt [46].
  • the communications containing promises to pay in the text message exchanges on 8 July 2022 were in the context of a statutory demand having been served by Browns approximately one month before and no reference to the identity of the contracting party as Straightline Civil [47]
  • an agreement has been reached (which he refers to as the ‘Tri-Partite Deed’) between representatives of Hansen Yuncken, Straightline Civil, and Browns in relation to the payment of outstanding amounts, whereby Hansen Yuncken agrees to pay progress payments due to Straightline Civil in respect of the Project directly to Browns, in satisfaction of outstanding invoices rendered by Browns in relation to the Project (including those the subject of the Demand) and that a total of $193,775.56 has been paid to date, being the payment of $105,739.93 (including GST) in relation to the July Payment Schedule and $88,035.63 (including GST) in relation to the August Payment Schedule [51] – [52].
  • Staightline Construcion has never been contracted to perform subcontract work on any sites in Hawthorn [12]

The respondent’s evidence Read the rest of this entry »

32 million records compromised in 95 security incidents in November 2022

Itgovernance reports that that in November there were 95 breaches resulting in 32,051,144 records being affected.  What is significant is almost half of the records affected came from 2 data breaches, Whoosh and Twitter.

The report provides:

Welcome to our November 2022 review of data breaches and cyber attacks. We identified 95 security incidents throughout the month, accounting for 32,051,144 breached records.

Almost half of that figure comes from two incidents. The first was a data breach at Twitter, in the latest PR disaster for the social media giant. Reports emerged late last week that user records were stolen using an API vulnerability that has since been fixed.

The second was a cyber attack on the Russian scooter-sharing service Whoosh, which was discovered after customers’ data was put up for sale on the dark web.

As always, you can find the full list of data breaches and cyber attacks below, divided into their respective categories.

Meanwhile, be sure to subscribe to our Weekly Round-up to receive the latest cyber security news and advice delivered straight to your inbox.

Some of the significant data breaches Read the rest of this entry »

Medibank’s woes continue….with a further document dump and formal announcement that the Information Commissioner has opened an investigation into the data breach. A salutory warning to organisations to keep data secure to start with.

The core advice given by privacy lawyers is that organisations should put the time, effort and coin into having proper software, systems and training to minimise the chance of a data breach rather then spending multiples of that time, effort and money in cleaning up after a data breach.  The Medibank data breach highlights the correctness of that approach.  Medibank is suffering multiple wounds from the hackers who stole the personal information of millions of its customers. The latest assault is the release of a significant volume of data onto the dark web. 

The Medibank press release provides:

We are aware that stolen Medibank customer data has been released on the dark web overnight.

We are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole.

Unfortunately, we expected the criminal to continue to release files on the dark web.

While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.

Medibank CEO David Koczkar said while there are media reports of this being a signal of ‘case closed’, our work is not over.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.

“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.

“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.

“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank customer data. We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.

“Again, I unreservedly apologise to our customers.

“We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web,” Mr Koczkar said.

Our customers can also contact us to understand what data has been accessed – we’ve extended call centre hours and we’ve increased our customer support team by more than 300 people. In addition, from this week, we’re taking extra security steps to further protect our customers – with two-factor authentication in our contact centres. So, when a customer calls for support, we can verify their identify and be sure we’re speaking with them and not someone else.

Data released on the dark web today

We are conducting further analysis on the files today and at this stage believe:

    • There are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole
    • Much of the data is incomplete and hard to understand
    • For example, health claims data released today has not been joined with customer name and contact details

Given the sensitive nature of the stolen customer data that is being released on the dark web we continue to ask the media and others to support our ongoing efforts to minimise harm to customers, and not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.

Supporting our customers

Our dedicated Cyber Response Support Program for our customers includes:
A cybercrime health & wellbeing line (1800 644 325) – counsellors that have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained t
o support victims of crime and issues related to sensitive health information • Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
Personal duress alarms – for customers particularly vulnerable and/or with safety risks
Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 31 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for My Home Hospital patients)
Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
Free identity monitoring services for customers whose identity has been compromised as a result of this crime
Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime
• Specialised teams to help our customers who receive scam communications or threats

Reach out for support

We understand this crime will be distressing for many of our customers.

Customers should reach out for support if they need it from:
• Medibank’s Mental Health Support line on 1800 644 325 (Medibank international students call 1800 887 283 and ahm international students call 1800 006 745)
• Beyond Blue (1300 224 636 / beyondblue.org.au)
• Lifeline (13 11 14 / lifeline.org.au)
• Their GP or other relevant health professional

Remaining vigilant

Medibank recommends being vigilant with all online communications and transactions including:
• Being alert for any phishing scams via phone, post or email
• Verifying any communications received to ensure they are legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available
• Medibank will never contact customers asking for password or sensitive information

If you are contacted by someone who claims to have your data, or you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website. To report a scam, go to ScamWatch. If you believe you are at physical risk, please call emergency services (000) immediately.

Customer data we currently believe the criminal has stolen

• The name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers • Medicare numbers (but not expiry dates) for ahm customers
• Passport numbers (but not expiry dates) and visa details for international student customers
• Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Health provider details, including names, provider numbers and addresses

Based on our investigations to date, we currently believe the criminal:
• Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
• Did not access health claims data for extras services (such as dental, physio, optical and psychology)
• Did not access credit card and banking details

Read the rest of this entry »