The Medibank data breach has already impacted 9.7 million customers, and now that staggering number has risen even further, after it emerged staff details had also been compromised.

Last month, the private health insurance giant announced it was hit by a “cyber incident,” along with ahm, owned by Medibank.

Approximately 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers were affected after the credentials of a staff member with high-level access to Medibank’s systems were obtained and sold to hackers on a Russian cybercriminal forum.

The group has been releasing highly sensitive customer data on a shadowy web blog linked to the Russian REVil ransomware group since last week, including information about people’s mental health, drug and alcohol use, and previous pregnancy loss which may include non-viable pregnancies such as fetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infections.

But an email sent to Medibank employees seen by revealed that hundreds of current and former employees had also been affected, along with millions of customers.

“Hello everyone. We are deeply sorry to inform you that some data relating to your work device for the time you worked at Medibank was stolen in the recent cybercrime event,” reads the concerning staff email.

“We don’t believe the offender had access to Success Factors or payroll data, however he did have access to an Excel spreadsheet that included information about your device. On Wednesday, November 9, this information was posted by the criminal on the dark web.

“We recognize the distress this may cause you and apologize for what happened.”

The email confirmed that the file included information such as employee full names, cell phone numbers and device information, and warned that the data could be used for “increased spam such as spearfishing and engineering social”.

Spear phishing is targeted at a specific person or group of people by purporting to be from a trusted sender, while social engineering is the art of manipulating people so they provide sensitive information such as passwords, explained the e -mail.

The company has urged staff to be “extremely vigilant” when using their mobile phones and to follow a number of additional precautions, including being alert to any phone or email phishing scams, checking communications received to ensure are legitimate, changing your passwords regularly and avoiding opening links in texts or emails from unknown or suspicious numbers.

The email concluded by thanking the workers for their “understanding” as the company “continues to respond to this cybercrime.”

A Medibank spokesman confirmed that hundreds of past and present staff members were also involved in the breach.

“The files released by the criminal include an Excel spreadsheet of approximately 900 current and former employees – including their name, email address, their mobile phone numbers and device information including asset number and phone name (serial number and IMEI number),” the spokesperson said in a statement provided to

“While security experts have told us the security risk is low, the information could be used to ramp up spam such as spearfishing.

“A hacker will not be able to use the information to access people’s phone data or remotely hack into their phone. We have also taken steps through our telecom provider to block phone number portability for Medibank devices.

“We have offered our employees and former employees the ability to change their mobile number at no cost to them.

“We also have a dedicated on-call psychologist available.

“Employees who are customers can access the same support as any other Medibank customer and ahm.”

Class action looms

The revelation comes after Bannister Law Class Actions and Centennial Lawyers joined forces to investigate the serious data breach for a potential class action against the health insurance giants.

Bannister Law principal Charles Bannister said lawyers at had already been “inundated” with potential claimants and said countless clients had already been badly affected by the hack.

“There are victims of domestic violence who are understandably distressed about the details of their address being disclosed. We are seeing widespread problems,” she said.

“Some individuals literally live in fear for their lives if their addresses are made public, others live in fear of public ridicule, loss of their job, and relationship breakdown if their sensitive medical information is made public.

“Others risk being blackmailed if their HIV status or other health information is made public. Some of Medibank’s clients and ahm will be policemen or security officers who are at great personal risk if their personal data and details of their immediate family members become public.

Bannister Law Class Actions and Centennial Lawyers are now preparing legal proceedings to initiate a class action and plan to file proceedings shortly. The law firms are urging all affected current and former Medibank and ahm clients, including international clients, to do so register here.

Leave a Reply

Your email address will not be published. Required fields are marked *