Hackers behind the massive Medibank data breach had access to the personal data of all four million of the health insurer’s customers.

But the number of affected people is set to grow substantially, with Medibank confirming all customers of its ahm offshoot and all international student customers also had their data breached.

The insurer is working through the details of each individual customer so each person knows what type of information the hackers accessed, including personal and health claims data.

“We believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially,” Medibank chief executive David Koczkar said.

“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

Medibank has announced a support package for those affected that includes financial backing and specialist identity protection.

It warned customers to be on alert for any suspicious messages via email, text or phone call.

The stock exchange-listed Medibank, which briefed its investors on Wednesday, doesn’t have cyber insurance.

It estimates the hack will result in a $25 million to $35 million pre-tax hit to its first half fiscal 2023 earnings.

The Medibank issue is the second high-profile hacking in weeks after Optus suffered a huge data breach last month.

Cyber Security Minister Clare O’Neil was asked about the Medibank hack in parliament on Tuesday, saying the government’s best people were on the job.

“Australians who are struggling with mental health conditions, drug and alcohol addiction or diseases that carry some shame or embarrassment are entitled to keep that information private and confidential, and for a cybercriminal to hang this over the heads of Australians is a dog act,” she said.

“It is scum-of-the-earth, lowest-of-the-low territory.”

The government will introduce new legislation to parliament to massively increases penalties for companies that don’t properly protect sensitive data.

Fines will rise to whichever is greater – $50 million, 30 per cent of the company’s turnover in the relevant period or three times the value of any benefit gained from the stolen data.

The laws would also boost the Australian Information Commissioner’s powers to resolve breaches and increase information sharing with the Australian Communications and Media Authority.

Alex Mitchell
(Australian Associated Press)