Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward Australian health insurer Medibank has revealed it's been contacted by a group that claims to have its customers' data and is threatening to distribute it. As The Register reported last week, on October 13 the formerly government-owned insurer advised [PDF] it had spotted "unusual activity on its network" and had taken systems …
One thing that's irked me for both this and Optus, as I've been contacted by both, is, in both cases, I'm no longer a customer, for not an insubstantial time either.
I understand there's probably some regulatory retention required, but that should be limited to just what's required, surely a lot of the data sensitive to me if leaked isn't in that loop. Soon as data's no longer needed it should be expunged, ex customers get shunted out of production and in to some write only database for the production system and a local user (or separate system) can deal with pulling any historic records for review.
Both are big enough that there shouldn't be the excuse that this is too expensive or put in the too hard basket.
I have better procedures for data management and I work in a small market research agency (with an metric shit ton of personal data, so, you know, we can do research).
I've more sympathy for Medibank than Optus - at least Medibank have a sensible need to hold personal data (Optus have absolutely no need for most of the personal info they hold other than just doing what ASIO tell them via ACMA).
There is no reason I shouldn't be able to walk into the corner deli, buy a SIM with a tenner, hand over a 50 for a code to put credit on it and be watching TikToks in just a few minutes.
Even if telcos are compelled to do an ID check then the account should be flagged as "ID verified" then the personal data deleted.
What's good about these two high-profile incidents is that people are talking about it now and waking up to the fact that you don't just have to hand over information when asked. Buying some bed linen? Cool. Can I have your name and address? "No". It's perfectly fine to say no.
The regulatory requirement to retain data will far exceed your time as a customer… and rightly so. Suppose you have issues after two years, but are no longer on their system? “We have no record of treating you” is nearly as bad as “I’m sorry for your illness but we have no intention of helping you”.
See, this is why all PII on corporate systems should be stored in the form of 8K video recordings of someone vvveeeerrryyy ssllloowwwlllyy reading out the information.
That way, cybercrims could grab 200GB of data and that would be, like, 1 person's personal information. At most.
So, full pop then:
https://www.medibank.com.au/health-insurance/info/cyber-security/
Update at 9.30am – Wednesday, 26 October
Since yesterday’s announcement, our cybercrime investigation has now established that the criminal had access to:
All ahm customers’ personal data and significant amounts of health claims data
All international student customers’ personal data and significant amounts of health claims data
All Medibank customers’ personal data and significant amounts of health claims data
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
