Canberra: AustraliaThe US’s largest health insurer said on Wednesday that a cybercriminal had hacked the personal data of all 4 million of its customers, as the government introduced legislation that would increase penalties for companies that fail to protect customers’ private information.
Medibank It said a “significant amount of health claims data” was also accessed in the breach, which was reported to police a week ago when trading in the company’s shares was halted.
The thief has demanded ransom and threatened to reveal the diagnosis and treatment of high-profile clients.
Medibank said its priority is to find the specific data stolen in relation to each customer and share that information with those customers.
The company had previously said the breach was believed to be limited to its subsidiary AHM and foreign students.
“Our investigation has now established that this perpetrator has accessed the personal data of all our private health insurance customers and a significant amount of their health claims data,” Medibank chief executive David Kozkar said in a statement to the Australian Securities Exchange.
“This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” Kozkar added, apologizing to customers.
The government is planning urgent legislative reforms on cyber security regulation after hackers stole the personal data of nearly 10 million current and former customers. OptusAustralia’s second largest wireless telecommunications carrier.
Optus learned on September 21 that the personal data of more than one-third of Australia’s population of 26 million had been stolen.
In introducing amendments to the Privacy Act to Parliament on Wednesday, Attorney-General Marc Dreyfus cited both companies and MyDeal, an online retail intermediary that lost data on 2.2 million customers in a hack disclosed two weeks ago.
“As the Optus, Medibank and MyDeal cyber attacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable,” Dreyfuss told Parliament.
“Governments, businesses and other organizations have a responsibility to protect Australians’ personal data, not treat it as a commercial asset,” added Dreyfuss.
The government criticizes companies that collect more customer data than is necessary to make money unrelated to the services for which the information was provided.
Fines for serious breaches of the Privacy Act will now rise from 2.2 million Australian dollars ($1.4 million) to AU$50 million ($32 million) under the proposed amendment.
The company can also be fined up to 30% of its revenue over a specified period if that amount exceeds AU$50 million ($32 million).
Medibank said on Wednesday it did not have cyber insurance and estimated the hack would cut its earnings by between AU$25 million ($16 million) and AU$35 million ($22 million) early next year.
This Medicare The trading halt was lifted on Wednesday and shares fell more than 14% in early trading.
