back to article Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward

Australian health insurer Medibank has revealed it's been contacted by a group that claims to have its customers' data and is threatening to distribute it. As The Register reported last week, on October 13 the formerly government-owned insurer advised [PDF] it had spotted "unusual activity on its network" and had taken systems …

  1. Phil Kingston

    And no one was surprised

  2. Phil Kingston

    "Medibank has been contacted by a criminal claiming to have stolen data and who has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems"

    Shit got real.

  3. Sampler

    Ex customers

    One thing that's irked me for both this and Optus, as I've been contacted by both, is, in both cases, I'm no longer a customer, for not an insubstantial time either.

    I understand there's probably some regulatory retention required, but that should be limited to just what's required, surely a lot of the data sensitive to me if leaked isn't in that loop. Soon as data's no longer needed it should be expunged, ex customers get shunted out of production and in to some write only database for the production system and a local user (or separate system) can deal with pulling any historic records for review.

    Both are big enough that there shouldn't be the excuse that this is too expensive or put in the too hard basket.

    I have better procedures for data management and I work in a small market research agency (with an metric shit ton of personal data, so, you know, we can do research).

    1. Phil Kingston

      Re: Ex customers

      I've more sympathy for Medibank than Optus - at least Medibank have a sensible need to hold personal data (Optus have absolutely no need for most of the personal info they hold other than just doing what ASIO tell them via ACMA).

      There is no reason I shouldn't be able to walk into the corner deli, buy a SIM with a tenner, hand over a 50 for a code to put credit on it and be watching TikToks in just a few minutes.

      Even if telcos are compelled to do an ID check then the account should be flagged as "ID verified" then the personal data deleted.

      What's good about these two high-profile incidents is that people are talking about it now and waking up to the fact that you don't just have to hand over information when asked. Buying some bed linen? Cool. Can I have your name and address? "No". It's perfectly fine to say no.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ex customers

        > at least Medibank have a sensible need to hold personal data

        That implies an even more sensible need to *protect* that data, as well as not retain data which has already served its purpose.

    2. Hamiltonian42

      Re: Ex customers

      The regulatory requirement to retain data will far exceed your time as a customer… and rightly so. Suppose you have issues after two years, but are no longer on their system? “We have no record of treating you” is nearly as bad as “I’m sorry for your illness but we have no intention of helping you”.

  4. Anonymous Coward
    Anonymous Coward

    The Norks, the Chinese or the Russians

    But probably some 17 year old kid!

  5. cantankerous swineherd

    if medibank held my records I'd be expecting them to pay up. they pay the price for their balls up, not me.

  6. J. Cook Silver badge

    And if any of data was US citizens, that's a HIPAA breach on top of that- US firms get into MASSIVE amounts of trouble (with matching fines!) for not protecting PHI...

  7. David 132 Silver badge

    "Medibank has been contacted by a criminal claiming to have stolen 200GB of data"

    See, this is why all PII on corporate systems should be stored in the form of 8K video recordings of someone vvveeeerrryyy ssllloowwwlllyy reading out the information.

    That way, cybercrims could grab 200GB of data and that would be, like, 1 person's personal information. At most.

  8. Mark Exclamation

    "....and explained it had taken down the apps mentioned above out of an abundance of caution, and had used the downtime to improve security across its operations."

    Er, shouldn't security already be at its maximum? If it takes a hack to "improve security" then they are culpable.

  9. Phil Kingston

    So, full pop then:

    Update at 9.30am – Wednesday, 26 October

    Since yesterday’s announcement, our cybercrime investigation has now established that the criminal had access to:

    All ahm customers’ personal data and significant amounts of health claims data

    All international student customers’ personal data and significant amounts of health claims data

    All Medibank customers’ personal data and significant amounts of health claims data

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like