Major Australian Health Insurer Disables Systems in Response to Cyberattack

Major Australian Health Insurer Disables Systems in Response to Cyberattack
Medibank signage sits on top of the Medibank building in Docklands, Melbourne of Australia on Oct. 1, 2014. (Scott Barbour/Getty Images)
Daniel Y. Teng

One of Australia's largest private health insurers has suffered a cyberattack just a week after telecommunications giant Optus was spurred into damage control after the data of millions of customers was leaked.

The Medibank Group, which services around 3.9 million customers, revealed on Oct. 13 that a day earlier, it detected unusual activity on its network.

"In response to this event, Medibank took immediate steps to contain the incident, and engaged specialised cyber security firms," the company said in a statement (pdf). "At this stage, there is no evidence that any sensitive data, including customer data, has been accessed."

Medibank said the company isolated and removed access to customer-facing systems to reduce the possibility of damage.

The policy management systems for its ahm and international student products were taken offline for most of the day.

"I apologise and acknowledge that in the current environment, this news may make people concerned," said Medibank CEO David Koczkar. "Our highest priority is resolving this matter as transparently and quickly as possible."

"We are working around the clock to understand the full nature of the incident and any additional impact this incident may have on our customers, our people, and our broader ecosystem."

The Second Incident in a Month

The incident comes just a week after Optus suffered the largest data security breach in Australian corporate history, with the identification documents of 2.1 million customers exposed, including 1.2 million driver's license numbers.

The telco also said millions of additional data was stolen, but the information was out of date.

The company said it would conduct an independent review of the cyberattack with auditing firm Deloitte engaged for the task.

“We’re deeply sorry that this has happened, and we recognise the significant concern it has caused many people. While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong," said CEO Kelly Bayer Rosmarin.

Australian Federal Police have also set up a task force to deal with the 10,000 most vulnerable customers who lost sensitive data, including passport numbers.

The Australian government requires companies to use a "100-point check" system to verify customer identities, including passport numbers, driver's licences, and birth certificates.

Daniel Y. Teng is based in Brisbane, Australia. He focuses on national affairs including federal politics, COVID-19 response, and Australia-China relations. Got a tip? Contact him at