West News Wire: As the government announced legislation that would enhance penalties for businesses that fail to protect customers’ private information, Australia’s largest health insurer claimed that a cybercriminal had stolen the personal information of all its 4 million customers.
In addition, “large volumes of health claims data” were accessed, according to Medibank’s statement on Wednesday. The breach was reported to authorities a week ago when trading in the company’s stock was suspended.
The thief reportedly threatened to reveal the diagnosis and treatments of well-known clients in exchange for a ransom.
According to Medibank, its top objective is to identify the precise information that was stolen in regard to each customer and to let them know.
The company had previously said the breach was thought to be limited to its subsidiary AHM and foreign students.
“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” Medibank Chief Executive Officer David Koczkar said in a statement to the Australian Securities Exchange.
“This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” Koczkar added, with an apology to customers.
The government has been planning urgent legislative reforms on cybersecurity regulation since a hacker stole the personal data of nearly 10 million current and former customers of Optus, Australia’s second-largest wireless telecommunications carrier.
Optus became aware on September 21 that the personal data of more than one-third of Australia’s population of 26 million had been stolen.
In introducing amendments to the Privacy Act to Parliament on Wednesday, Attorney General Mark Dreyfus mentioned both companies and MyDeal, an online retail intermediary that lost the data of 2.2 million customers in a hack revealed two weeks ago.
“As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable,” Dreyfus told Parliament.
“Governments, businesses and other organizations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset,” Dreyfus added.
The government is critical of companies that amass more customer data than necessary to make money from it in ways unrelated to the services for which the information was provided.
The penalties for serious breaches of the Privacy Act would increase from 2.2 million to 50 million Australian dollars ($1.4m to $32m) under the proposed amendments.
A company could also be fined the value of 30 percent of its revenues over a defined period if that amount exceeded 50 million Australian dollars ($32m).
Medibank said on Wednesday it did not have cyber insurance and estimated the hack would reduce its earnings by between 25 million and 35 million Australian dollars ($16m to $22m) by early next year.
The Medicare trading halt was lifted on Wednesday and shares slid more than 14 percent in early trading.
