Medicare was thorough in its response to a cyber incident. Photo: Shutterstock
One of Australia’s largest private health insurance providers suffered a major cybersecurity incident.
Medibank, which covers 3.7 million people in 2021, reported unusual activity on its network on October 13 and immediately engaged a cybersecurity company, as well as an investigation to determine whether sensitive data, such as client files, had been accessed illegitimately.
The company also removed access to customer systems in an effort to isolate the incident and reduce the risk of system damage and data loss.
Medibank then provided regular and detailed information updates on the incident via its website, and on October 14, announced that it had already sent approximately 3.7 million informational emails to current and former customers of Medibank and ahm health insurance – the private health insurance company that operates as a member of the Medibank group.
“I apologize and recognize that in the current environment this news may cause people concern,” said Medibank CEO David Koczkar.
“Our top priority is to resolve this issue as transparently and as quickly as possible.”
As of October 17, Medibank reported that there was no evidence that customer data had been deleted from its network as a result of the cybersecurity incident, however, due to response measures taken by Medibank, the Users of the AHM and International Student Policy systems were unable to access affected services between Thursday, October 13 and the start of Friday, October 14.
This interruption of services was an intentional decision by Medibank taken in order to mitigate potential harm while the suspicious network activity was investigated.
“This was done out of an abundance of caution, and it allowed Medibank to provide additional protection for customer data on this system,” Medibank said.
“We apologize for the disruption this incident caused to some of our customers yesterday, but we made good progress with our systems overnight,” Koczkar said Oct. 14.
“We have taken the necessary precautions to protect the data of our customers, people and other stakeholders, and we will continue to do so.”
Is it ransomware?
The apparent Medibank cybersecurity incident is still developing, and the finer details have yet to surface – however, communications from Medibank indicate that the aforementioned suspicious network activity was consistent with precursors to a ransomware event.
“Medibank has contained the ransomware threat but remains vigilant and will take necessary steps going forward to protect its operations and customer data,” Medibank said.
Given today’s trend for major brands to experience major data breaches, attacks of this nature tend to attract attention and cause concern among customers.
Medibank demonstrated a thorough and prompt response to the incident and engaged cybersecurity experts to deal with the attack, along with a host of relevant government agencies.
“We spoke with the Australian Center for Cybersecurity, APRA, the Australian Information Commissioner’s Office, the Private Health Insurance Ombudsman, the Department of Health and the Department of the Interior during the day to make sure our regulators and other key stakeholders are informed.”
Medibank also said it was working in an “open and cooperative manner” with the Australian Cyber Security Centre, the Australian government’s lead cybersecurity agency, to “receive information and intelligence” relevant to the ‘incident”.
To date, Medibank’s ongoing investigation and handling of the incident appears to have revealed no direct evidence of ransomware infection or loss of customer data.
“The Medibank systems were not encrypted by ransomware during this incident and there is no indication that the incident was caused by a state-based threat actor.”
What should Medibank customers do?
Medibank said customers would be kept informed as the situation developed and stressed that Medibank would never make contact to ask for passwords or other sensitive information.
Although customers are advised that they have nothing to do at this time, they are advised to remain vigilant for any suspicious emails or text messages regarding insurance services or Medibank.
As for the impact on Medibank, the potential ransomware attack and subsequent shutdown of some systems could be responsible for lower trading as shares started to fall again by almost 3% today.
Medibank assured investors that the incident has not disrupted its business momentum as it continues to liaise with customers and stakeholders through ongoing updates.