Sergey Nivens - stock.adobe.com

Medibank breach casts spotlight on data security

Health insurer Medibank Private recently suffered a major data breach involving the personal and health information of millions of customers, once again casting the spotlight on data security in Australia

Australian health insurance company Medibank Private recently suffered a major data breach involving the personal and health information of millions of customers.

While it took two weeks to determine the scale of the breach, the company said the intruder had access to all of its customers’ personal data and “significant amounts of health claims data”.

That includes customers of Medibank’s ahm sub-brand, as well as international student customers. Visa conditions require international students to obtain health insurance for themselves and their dependents for the duration of their stay in Australia. Various insurers – including Medibank – offer policies tailored to these requirements.

The company has around four million current customers, and data relating to an unspecified number of former customers remains in its systems.

Medibank has determined that at least some of the data was exfiltrated, and is working to understand how each customer is affected and to notify them accordingly.

It will provide “financial support for customers who are in a uniquely vulnerable position as a result of this crime,” free identity monitoring for customers whose primary identity document, such as a driver’s licence, has been disclosed, and reimbursement of fees incurred for the re-issue of identity documents if they have been “fully compromised” by the incident.

The story began on 12 October, when Medibank detected “unusual activity” on its network. A statement issued the following morning said: “At this stage, there is no evidence that any sensitive data, including customer data, has been accessed”, and implied the problem was limited to the ahm and international student businesses.

Read more about cyber security in Australia

The task of notifying customers began on 14 October, with the company noting that there was “no evidence that any customer data has been accessed”. Systems that had been taken offline as a precaution were restored.

On the morning of 17 October, Medibank CEO David Koczkar issued a statement claiming that ongoing investigations continued to show no evidence that any customer data had been removed from Medibank’s IT environment.

He added: “Our ongoing investigation has found the unusual activity we detected in part of our IT network was consistent with a possible ransomware threat.”

The following day, Medibank’s ahm, international student and policy management systems were briefly taken down again.

Late on 19 October, things took a turn for the worse. “Today we received messages from a group that wishes to negotiate regarding their alleged removal of customer data,” it said. “Urgent work is underway to establish if the claim is true, although based on our ongoing forensic investigation, we are treating the matter seriously at this time.”

So, a week after the “unusual activity” was detected, Medibank still had not determined for itself that at least some data had been extracted.

Customer data

On 20 October, it revealed the purported attacker had provided a small sample of customer data, including names, addresses, dates of birth, Medicare numbers and phone numbers, and claims data such as codes relating to diagnoses and procedures.

That is sufficient information to be able to impersonate an individual when making certain phone enquiries, and potentially cause embarrassment by disclosing aspects of a person’s medical history, such as the facility where they had received treatment.

As federal minister for home affairs, Clare O’Neil, put it: “Australians who are struggling with mental health conditions, drug and alcohol addiction or diseases that carry some shame or embarrassment are entitled to keep that information private and confidential, and for a cyber criminal to hang this over the heads of Australians is a dog act.”

The attacker claimed to have credit card and other data, but “this has not yet been verified by our investigations”, Medibank said at the time.

It wasn’t until 25 October that the company conceded that Medibank policy holders’ data had been accessed, along with that of ahm and international student customers – but that seems to have been the result of the attacker providing additional data, rather than from the company’s or the authorities’ investigations of the incident. This was the point at which Medibank announced the support package for affected customers, and that it was working with all Australian banks and the relevant government departments to increase the monitoring of their accounts.

Reducing revenue

The insurer also said it would defer scheduled premium increases from 1 November to 16 January 2023. That will reduce its revenue by around A$60m, but that has already been offset by a post-Covid drop in claims.

On the same day, O’Neil announced that the National Coordination Mechanism (NCM) had been activated on 22 October “to bring together agencies across the federal government, states and territories to ensure that all possible support is being provided to Medibank and all those uniquely vulnerable Australians affected by this incident”.

The NCM “brings together all relevant departments, agencies, and other stakeholders to share information and coordinate an appropriate response”, she said.

Those departments and agencies include the Australian Signals Directorate, the Australian Federal Police, Services Australia and the Department of Health.

“Medibank is cooperating with government in responding to this incident,” she said, adding that “we expect the company to continue to swiftly provide the government with all the information it needs as a matter of urgency”.

Medibank Private’s share price was A$3.55 on 11 October but had fallen to A$2.86 on 27 October at the time of writing, after emerging from a trading halt. That represents a A$1.9bn drop in its market value.

Lessons to be learned

On the lessons that can be learned from this incident, security experts boiled it down to “if it’s not stored, it can’t be stolen”.

“We need to move beyond thinking about how we protect critical data sets to a strategy of data minimisation,” said Carsten Rudolph, a professor at Monash University’s department of software systems and cyber security. 

“For a health insurer, this would mean to critically analyse what data is actually required to deliver the service. Which type of data needs to be readily available? What data can just be used for a shorter process without actually retaining it? Further, critical customer health information should either not be stored by an insurer at all, or if it is required, it should not be easy to link it to the customer’s identity.”

Where data has to be retained, it should be kept no longer than necessary, said Rudolph.

“Also, the data that is actually collected can be encrypted so that the number of data requests can be controlled, and malicious activities can be stopped before a complete database is syphoned off. In conjunction with these measures, laws or regulations should be established to enforce lesser data collection and encryption of data once it is collected,” he added.

Read more on Data breach incident management and recovery