Medicare has admitted that customer data, including medical claims information, is included in 200GB of data that has been obtained by a hacker. In a statement to the Australian Stock Exchange [pdf], Medibank said it had been contacted by a criminal who provided a sample of records for 100 customer policies.

“That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data," it said.

The claims data includes some of peoples’ most private medical information: “where a customer received medical services, and codes relating to their diagnosis and procedures.”

Medibank said the attacker also claimed to have “data related to credit card security” but that this was yet to be verified.

Medibank first disclosed on October 13 that it had found "unusual activity" on its network the day before, leading it to pull customer-facing systems offline and suspend trading for the rest of the week.

The insurer has nearly 4 million customers nationwide, but only 1 million have their critical information stored in the “ahm” and “international student” policies database that was hacked.

The breach is being investigated by the Australian Federal Police with officers placed within Medibank to help minimise the fallout from the breach.

Minister for Cyber Security Clare O'Neil said Medibank initially “assured” the government no customer data had been affected by last week’s breach and that the malicious actors had been removed.

It was subsequently revealed the criminals had made contact with the company and were claiming to have accessed significant amounts of data and were demanding to enter into negotiations.

The data was effectively being held for ransom, Ms O’Neil said.

The company's chief executive, David Koczkar, offered an unreserved apology for "this crime, which has been perpetrated against our customers".

"I know that many will be disappointed with Medibank and I acknowledge that disappointment," he said.

"This cybercrime is now the subject of an investigation by the Australian Federal Police.

"We will learn from this incident and will share our learning with others."

Mr Koczkar promised to continue to provide customers and the public with updates as the investigation continued.

This week the Australian Tax Office revealed it gets 3 million attempted hacks on its systems every month.

At The Tax Summit 2022 ATO Second Commissioner Jeremy Hirschhorn warned that the ATO’s increasing digitisation efforts have made it more vulnerable to attacks due to a widening attack surface. 

During his talk, Hirschorn said that as personal data or commercially sensitive data are increasingly being shared between banks, super funds and tax agents, cybercriminals are gaining a larger window of attack.