Medibank keeps quiet
Medibank will keep its hack report under wraps.
Australia’s largest health insurer, Medibank, has announced that it will not publicly release the findings of an external report into a cyber attack that resulted in the theft of personal data and health information of almost 10 million current and former members.
The Deloitte report, however, did make recommendations to enhance Medibank’s IT processes and systems.
The company said that some of these recommendations have already been implemented, and that it intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.
A spokesperson for the company said that no further information would be shared publicly, but that Medibank would share lessons from the cybercrime with other Australian businesses, where possible.
This decision to not publicly release the Deloitte report contrasts with that of Optus, whose CEO Kelly Bayer Rosmarin has been vocal in explaining the cyber attack at recent events. Optus is expected to share the findings of its external report once concluded.
A number of victims have expressed frustration at Medibank’s handling of the cyber attack, including the release of multiple statements claiming there was no evidence that information had been removed from its networks.
After several weeks, it emerged that nearly half a million customers had had their health claims data, including sensitive information about hospitalisations for drug addiction, abortions and sexually transmitted diseases, posted to the dark web.
Medibank did not contact many of these victims directly, instead choosing to send letters by post, despite having been informed by the hackers before it was shared online.
Medibank has previously stated that the cost of remediating the cyber attack would be up to $45 million, including $26.1 million that was spent in the six months to December 31.
The company is also under investigation by the Office of the Australian Information Commissioner and faces separate class actions from investors and victims.