Health insurer Medibank's data breach diagnosis keeps getting worse

Australian health insurer Medibank's data breach was today revealed to be even worse than first thought, with a regulatory filing stating that info describing all four million customers has been accessed.

Medibank first admitted to an attack on October 13. At the time it said it had taken down systems that run two sub-brands as a precaution, but that no customer data had been accessed at either those brands or Medibank itself.

That assessment was optimistic.

Last week the company revealed that assessment was wrong and parties unknown had contacted it to negotiate over how to prevent release of the data. One hundred records were revealed by the data thieves – some including information about medical treatments customers had undergone – and that hoard was verified as coming from the insurer.

On October 25 the insurer disclosed [PDF] that data at all its brands had been accessed.

And today came the big one: news [PDF] that "personal data and significant amounts of health claims data" was accessed across all three brands.

That means details of the medical services used by policy holders was exposed, in addition to their other personal data.

Medibank still does not know how many customers' data was stolen, but warned "it is now likely that the criminal has stolen further personal and health claims data" beyond the 1,000-odd records that the perp has leaked as part of its attempt to extract payment from Medibank.

The insurer's Wednesday update also reveals that it does not have cyber insurance and expects the incident will create costs of between AU$25 million and AU$35 million ($16M to $22.4M) in its next half.

• FTC slaps down Drizly CEO after 2.4m user records stolen from 'careless' booze app biz
• Oops, web trackers may have leaked 3 million patients' info
• Cost of a health insurance security breach? NY watchdogs say it's $4.5m
• Store credit card numbers in a debug log, lose millions of accounts. Cost? $1.9m

Large fines and regulatory displeasure also await the company.

It has been credibly suggested that staff credentials were used to access the insurer's systems. Perhaps the creds attackers accessed belonged to a superuser, but Medibank is yet to explain how access to user accounts led to exfiltration of customer data.

The incident is ongoing, with Australian authorities investigating, politicians pontificating, and Medibank customers presumably very keen for the insurer to finish its probe into just what data was accessed and/or lost, and to avail themselves of promised services to prevent identity fraud and cover the cost of replacing ID documents.

Meanwhile the victim of Australia's other recent high-profile data breach – Singapore-owned telco Optus – has published a letter to customers [PDF] that essentially absolves itself of blame and says it handled the incident in an exemplary fashion. So that settles that, then.

"We are committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience," the letter states. ®