Uninsured Medibank says cyber attack has impacted all its customers

Medibank has revealed that a hacker has accessed the personal data of nearly four million of its customers.

In an investor update on Wednesday morning, Medibank said its investigation has now revealed the hackers had access to the personal data of all its customers across ahm and Medibank brands, as well as international student customers.

The personal information includes name, address, date of birth, some Medicare card numbers and gender. Significant amounts of health information have also been compromised.

Medibank is one of the largest private health insurance providers in Australia. The company did not have cyber insurance.

The Medibank hack is the second high profile cyber crime to hit Australians in two months, with telecoms company Optus also suffering a significant data breach in September.

The hack is likely to cost Medibank a minimum between $25m and $35m, Medibank said. This estimated cost does not include customer compensation or regulatory or legal costs that may be brought against the company.

Medibank is in communication with the hacker but the company has declined to say whether it would pay any ransom demands made.

Medibank revealed earlier this month that it had detected "unusual activity" on its network.

It said it had engaged "specialist cyber security firms", saying initially there was "no evidence" customer data had been stolen. But Medibank said on Tuesday the hack had taken a "distressing" turn after it received further files from the hackers.

Medibank is working with the federal government as well as the Australian Federal Police and the Australian Signals Directorates' cyber security centre as part of the response.

The Australian Government is set to introduce new legislation to parliament this week that substantially increases penalties for companies that don't properly protect sensitive data.

The penalties for a serious or repeated breach of privacy will increase from $2.22m, up to a maximum of $50m.