Key Points
- Data listing patients alongside billing codes for procedures including abortion have already reportedly been published on the dark web.
- Elaine is worried about what information hackers have about her.
- The Medibank CEO has apologised and set up a support program for those affected.
Elaine Zhang is cautious about her privacy online, and the possibility of her personal details and medical history being made public by hackers is a huge worry.
The Melbourne woman is one of nearly 10 million people whose customer data was
The breach saw the names, dates of birth, addresses, phone numbers, and email addresses of 5.1 million Medibank customers, 2.8 million ahm customers, and around 1.8 million international customers accessed. Some of those customers had further data accessed, including the health claims of about half a million people.
On Friday, Australian Federal Police Commissioner Reece Kershaw said that the AFP was aware of who was responsible for the hack but other than describing them as a group of , would not identify them at this stage.
The Russian embassy in Australia said it was disappointed that the AFP had identified Russia-based criminals as the culprits without contacting Russian officials before the public announcement.
On Saturday, minister for cyber security Clare O'Neil said the Australian government would with a new task force of around 100 AFP and Australian Signals Directorate officers to "hack the hackers".
The hackers have released , including a spreadsheet listing 303 patients alongside billing codes related to pregnancy terminations, including non-viable pregnancy, miscarriage, and ectopic pregnancy.
Ms Zhang said she is worried about what information the hackers had and if it would be released publicly or on-sold.
“Of course, I worry about it, no one wants their private information to go public, no one, especially your medical record, where you claim your extras, what you do, it’s very, very sensitive, no one wants that, I’m so worried about it,” she said.
Ms Zhang wants Medibank to assist customers affected by the hack to help protect them from possible repercussions.
“I really, really suggest they do the protections for their customers, not just say sorry,” she said.
Ms Zhang said when she contacted Medibank about her concerns, the response was “very official, they cannot do anything and they are very sorry.”
She said it was up to those in charge at Medibank to take action.
“I want the person who really can make decisions in Medibank to do something,” she said.
Two legal firms, Bannister Law and Centennial Law, are investigating a potential class action against Medibank over the data breach.
They say they believe by not stopping the hack.
"Medibank has a duty to keep this kind of information confidential," the law firms said in a statement.
"This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and Ahm have failed policyholders in these circumstances."
No case has been filed with a court.
Ms Zhang said it would be a “big decision” to decide to be part of any legal action.
“I have two kids, I have a job, I really don’t want to use my time on such things, I want the things as easy as they can do, as simple as they can do,” she said.
Ms Zhang said she’d noticed an influx in junk emails, all using her real name, in recent days.
“Some are very easy to recognise it’s a phishing email and some are very tricky,” she said.
While Ms Zhang said she mostly knew what to look out for to avoid being scammed, she said others may not be as savvy about such things.
“If it was my parents, they definitely would be tricked,” she said.
Ms Zhang said she was currently looking into different health insurance providers.
What assistance is available to Medibank customers?
Medibank has set up a dedicated 'Cyber Response Support Program' for those affected in a number of ways.
As part of the program, a health and wellbeing phone line has been set up, the cost of replacing identity documents that have been compromised can be reimbursed and 'vulnerable' customers have access to personal duress alarms.
Medibank CEO David Koczkar issued an "unreserved" apology saying the company would "continue to support all people who have been impacted by this crime."
“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web,” he said.
“Unfortunately, we expect the criminal to continue to release stolen customer data each day. The relentless nature of this tactic being used by the criminal is designed to cause distress and harm.
"These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care."
