In October 2022, Medibank Private โ Australia’s largest private health insurer โ confirmed a catastrophic data breach affecting 9.7 million current and former customers. The breach was carried out by Russian-linked hackers who then published the stolen data on the dark web after Medibank refused to pay a ransom.
What data was exposed?
The Medibank breach was uniquely damaging because it exposed health information โ some of the most sensitive data a person can have. Exposed data included names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, and for many customers, sensitive health claims data including diagnosis codes and procedure details.
What makes health data different?
Health data cannot be changed like a password. It is permanent, deeply personal, and can be used for discrimination, blackmail, or targeted fraud. The hackers specifically published data about customers who had sought treatment for sensitive conditions including mental health, addiction, and reproductive health.
What has happened since?
The Australian Federal Police launched Operation Guardian in response. ASIO and international cybersecurity agencies have attributed the attack to a Russian hacking group. Class action lawsuits against Medibank are ongoing as of 2026.
What should Medibank customers do?
- Check your exposure โ Use DataGuard AU’s breach check to see what data of yours is in circulation.
- Monitor your accounts โ Watch for unusual activity on Medicare, private health, and financial accounts.
- Be wary of health-related phishing โ Scammers may contact you using your health data to appear legitimate.
- Contact Medibank โ medibank.com.au has a dedicated support line for breach victims.
- Consider a privacy audit โ If you were a Medibank customer, a full personal data audit can identify all the ways your data may now be at risk.