‘Immense harm’: Medibank confirms hackers have stolen customer data
smh.com.auI've been receiving the mails, as a medibank member and whilst they beg questions I would agree they represent reasonable, and open, honest statements of what is known, as the problem emerges.
I'm not happy, but I am probably not "that's it: I'm changing health fund" unhappy. I want to see what remediation they offer, and what harms flow from the leak. So far, it's privacy invading. Which sucks, but the likelihood of identity theft from this information leak isn't clear to me yet (it's possible medicare identity can be part of the australian 100pts test and so it may have significant risk of abuse, and I might (if one of the affected people) be seeking re-issuance of my medicare number, at their expense.)
Compared to the Optus data leak, I don't know what I think. Medibank is a privatised health fund formerly run by the government and subsequently fully privatised. I like former state enterprises, when it comes to choosing private providers, purely personal reasons. I expected better of them frankly, than to implement weak barriers to attack regarding intensely private data like my health records.
I think if we operate under the classic it's not if but when, when it comes to data breaches. Then switching providers isn't always the best idea in these situations. If anything, Medibank's security should be significantly bolstered following the attack as executives, recruitment etc will now have realised the impacts of a data breach. Not something every company has had to deal with YET.
What I do worry about is corroborated information, if you were involved in the Optus breach which realistically is likely for many of us. Then your leaked driver's licence number including your medibank number can start to make up that 100 points of ID check.
Therefore I suspect that people should be having either their DL or Medibank number changed, if they've been confirmed in the breach.
My partner pointed out to me this morning that we might chose to be casual about our medical history, but if the affiliate organisation is for overseas students, and they come from regimes with repressive views on abortion or gender, then medical history leak could be extremely damaging for them.
And you're right about optus+medibank getting over the 100pts threshold. That would be a really serious consequence for those people.