Australian health insurance firm Medibank on Wednesday disclosed that the personal information of all of its customers had been unauthorizedly accessed following a recent ransomware attack.
In an update to its ongoing investigation into the incident, the firm said the attackers had access to "significant amounts of health claims data" as well as personal data belonging to its ahm health insurance subsidiary and international students.
Medibank, which is one of the largest Australian private health insurance providers, serves about 3.9 million customers across the country.
"We have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data," the company further added. "As a result, we expect that the number of affected customers could grow substantially."
The company also said it's continuing its probe to determine what specific data has been stolen in the attack and that it will directly notify affected customers of the matter.
The development comes as the incident has become the subject of an investigation by the Australian Federal Police (AFP), with Medibank acknowledging that it has been contacted by a criminal actor claiming to have siphoned 200GB of data.
"That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and some claims data," it noted. "This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures."
Other uniquely identifiable personal information such as passport numbers with respect to international student policies have also been accessed, but Medibank stressed that it found no evidence that direct debit details have been breached.
In a separate investor announcement, Medibank said it has bolstered its monitoring capabilities to prevent such attacks in the future. It also estimated the cybercrime event to cost it anywhere between AU$25 million and AU$35 million.
Medibank customers have been recommended to stay vigilant for any phishing or smishing scams, with the company pledging free identity monitoring services and financial support for those "who are in a uniquely vulnerable position as a result of this crime."
The high-profile and damaging data breaches have prompted the Australian government to introduce stringent data protection laws, which include increased monetary penalties of up to AU$50 million from the current AU$2.2 million cap.
The new Privacy Legislation Amendment Bill 2022 also seeks to entrust the Australian Information Commissioner with more powers to resolve privacy breaches.
"Significant privacy breaches in recent weeks have shown existing safeguards are inadequate," Attorney-General Mark Dreyfus said. "We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behavior."