Medibank is in the business of covering unforeseen medical costs but it didn't see this coming.
The health insurer, which didn't have its own policy against cyber-crime - on Wednesday, October 26 confirmed in a telephone briefing - that the prognosis of the October 12 data breach is worse than first thought.
Medibank's chief executive officer David Koczkar [[koz-car]] says it's a crime designed to cause maximum harm to the most vulnerable members of our community.
"As previously advised, we have evidence that the criminal has removed some of our customers personal and health claims data, and it is now likely that the criminal has stolen further personal and health claims data. As a result, expect that the number of affected customers could grow unreservedly. This is a terrible crime."
What this includes is the personal data of ALL its customers and a significant amount of claims data that reveals medical procedures and diagnoses.
Medibank's main brand as well as its cheaper online offshoot A-H-M and international student customers - both past and present - are all affected.
The news sent the company's share price plummeting, falling more than 15 percent after a week-long trading halt ended.
Medibank's put the cost of managing the disaster at up to $35 million, for things like customer I-D protection and tech investments, but that doesn't include potential regulatory or litigation-related costs.
The company's now refusing to say if it's being held for ransom or explain how the hacker gained access.
It only realised the data had been taken after the hacker provided a sample.
But Medibank's group executive of technology and operations, John Goodall, says he believes they're no longer in their systems.
"The tools we've deployed, basically are set up to prevent entry into the system, to prevent malicious activity into the system. And all the feedback we're getting from the eyes on glass if you like on our monitoring system are telling us that the hack is not in our network."
