The company said on Wednesday that hackers had gained access to millions of medical records at one of Australia’s largest private health insurers, prompting the government to admit that the country’s cyber protections were “inadequate”.
It was the latest in a series of hacks targeting millions of people that have made Australian companies’ lax approach to cyber security all too apparent.
Medibank chief executive David Koczkar said information on each of the company’s 3.9 million policyholders – about 15% of Australia’s population – had been compromised.
“Our investigation has now established that this criminal accessed all of our private health insurance clients’ personal data and significant amounts of their health claims data,” he said in a statement to the Australian Stock Exchange.
“This is a terrible crime. This is a crime designed to cause maximum harm to the most vulnerable members of our society.”
The cyber attack was revealed last week, but it is not yet known how many people were affected.
Hackers have previously threatened to leak data, starting with 1,000 famous Australians, unless Medibank pays a ransom.
Medibank also confirmed on Wednesday that it is not insured against cyberattacks, estimating the hack could cost the company up to A$35 million (US$22 million).
The Medibank breach follows an attack on telecommunications company Optus last month that exposed the personal information of about nine million Australians – roughly a third of the population.
The Optus attack was one of the largest data breaches in Australian history.
Australian Attorney General Mark Dreyfus previously accused the companies of storing sensitive customer data that they did not need.
The companies are currently facing minor fines – A$2.2 million – for failing to protect customer data.
Dreyfuss said last week that those fines would amount to A$50 million.
“Unfortunately, the significant breaches of privacy in recent weeks have shown that existing safeguards are inadequate,” he said.
“It is not enough for a penalty for a major data breach to be seen as a cost of doing business.”
Home Affairs Minister Claire O’Neill said on Tuesday that the fallout from the Medibank hack was “potentially irreparable”.
“One of the reasons the government is concerned about this is the nature of the data,” she told the Australian parliament.
“When it comes to Australians’ personal health information, the damage here is potentially irreversible.”
O’Neill has previously described hacking as a “dog act” – an Australian phrase reserved for something particularly shameful or despicable.