‘This is just outrageous’: Medibank data breach impacts tens of thousands of international students

The personal data of potentially tens of thousands of international students may have been compromised by a major data breach at Medibank — one of Australia’s largest private health insurance providers.

Medibank confirmed a major breach of data on international students who use Medibank for their Overseas Student Health Cover (OSHC) along with their subsidiary brand, ahm. It also revealed in its ongoing cyber crime investigation that ”all Medibank customers’ personal data and significant amounts of health claims data” have been compromised. 

Medibank further confirmed today that all international student customers’ personal health data and significant volumes of health claim data have been breached.

Given that Medibank is the preferred OSHC provider at the University of New South Wales (UNSW), Macquarie University and the University of Technology Sydney (UTS), students at the three institutions will likely be disproportionately affected by the breach. Outside of Sydney, Edith Cowan University, the Royal Melbourne Institute of Technology (RMIT), Swinburne University, Newcastle University, Flinders University, the University of Western Australia (UWA), Victoria University and La Trobe University all partner with Medibank as their preferred provider. The number of students affected, as such, is expected to stretch into the tens of thousands. 

Erika Katalbas, a former international student who graduated with a Master of Social Work, told Honi that she used to be registered with Medibank during her degree until moving to BUPA. Being the victim of a similar data breach at Optus earlier this month, this marks the second time that she received a notification indicating that her personal information may have been compromised. 

“I felt surprised at how quickly the Medibank breach happened after the Optus breach. What’s more surprising is that I’m no longer a customer of Medibank and my data was still compromised despite it being over a year since they were my health insurance providers,” she said. 

“It’s giving me anxiety because as a former international student and a current temporary resident, I’m already in a vulnerable situation where I’m in a different country, I don’t have the same rights and protections as citizens, I’m not even sure the corporations would treat me equally to their other local customers.” 

Katalbas said that the advice given by Medibank, at the time of writing, is for users “to be vigilant”. 

“I worry for what my data will be used for. I have no idea as well about whether these companies will be held accountable in the occasion that my data is misused,” she said.

Speaking to Honi, UNSW SRC International Students’ Officer Si Thu Zin was frank about his concerns for international students, not only in his home institution but also across the nation. UNSW is one of many universities who nominate Medibank as their preferred OSHC provider. 

“With the breach of data, what I am worried about are scams and blackmails. These are not uncommon in the international student community,” Zin said.

For Zin, it is vital that Australia’s universities closely monitor the situation and offer timely support for all students who are affected by the data breach.

“It is a wake up call for all other companies and really calls into question the security measures of these companies and the privacy laws [that are] in place.” 

Dhruv Sabharwal, International Officer at the National Union of Students (NUS) also expressed significant concerns surrounding the development, describing the way that the data breach has unfolded as “outrageous”, demanding that Medibank compensate students who are affected. 

“OSHC contains a lot of data about students and this breach puts every international student at risk,” Sabharwal said. 

“Government needs to intervene and suggest solutions and Medibank needs to compensate every international student who had their OSHC registered with Medibank,” he said.

“We have been paying thousands of dollars to Medibank for this and this is just outrageous.”

This latest breach occurs in the context of cyber security breaches in the past few months, with Optus previously affected by hackers. 

In response, the Albanese government is set to introduce new laws that significantly increase fines for companies that do not comply with data protection legislation. The new laws would also enhance the federal Information Commissioner’s powers and information sharing with the Australian Communications and Media Authority. 

As of today, Medibank has advised that those who have had their data stolen have access to a support package including financial support for uniquely vulnerable customers, free identity monitoring services for customers who have had their primary ID compromised and reimbursements for re-issue of identity documents that have been fully compromised. 

Customers are also advised to contact Medibank’s resources in relation to the incident.