Medibank Breach - Compromised Velocity Accounts Locked

[Nimo]

I changed over to Medibank at they time they were giving 150k VFF points away so they obviously required the FF number.

I also changed over for bonus points 140,000 points but I am annoyed that I have to remember my membership number again which I am not looking for that

 

[MARTINE]

Any lawyers out there who can (broadly and in general) look at what our options might be for redress?

 

[antycbr]

Got the same worded one to Jaseo5 but from 'AHM'.

At first I assumed it was some scam, as I've never, ever, used Medibank. But his wording was same as mine -

'visit the dedicated page for Medibank and ahm customers.'

Have a recollection I was with AHM maybe 10 or more years back.

Agree with Bill Shorten - 'laws need to be passed so that we all own our old data.'

Close a bank or telco or health or insurance account and these records MUST be destroyed by law. Bog simple. Issue solved then. I'd not have been hacked and not compromised then.

Some outfit I used a decade or more back has no ZERO RIGHT to have all this personal data stored. So that it can be stolen by hackers at any time in the future.

While you may say zero right, often they are compelled by law to retain these records. E.g. mobile telephone records are retained for anti-terrorism and anti-money laundering. Private health records for calculating and auditing the lifetime calculations for the medicare levy surcharge.

It also requires a cultural change - people get fired for deleting things generally, so people are cautious. We need to flip that around and make people accountable for not deleting things.

 

[ozstamps]

While you may say zero right, often they are compelled by law to retain these records.

A Health benefit fund I once belonged to over a DECADE back?

You must be joking ??????????

Can you point me to the LAW that say they need to retain such data on us?
'

Agree with Bill Shorten - 'laws need to be passed so that we all own our old data.

Close a bank or telco or health or insurance account and these records MUST be destroyed by law. Bog simple. Issue solved then. I'd not have been hacked and not compromised then.

Some outfit I used a decade or more back has no ZERO RIGHT to have all this personal data stored. So that it can be stolen by hackers at any time in the future.

 

[antycbr]

A Health benefit fund I once belonged to over a DECADE back?

You must be joking ??????????

Can you point me to the LAW that say they need to retain such data on us?
'

The law does not require them to delete it - and must be retained for at least 7 years as it’s health and financial records. More than 10 is poor form but 7 years after they stopped providing service to you is the minimum.

Read Medibank Private’s own policy:

When and how we dispose of your personal information​

We seek to keep your personal information for only as long as it is required in order to provide you with products and services or to legitimately comply with our business and legal obligations and requirements. When it is no longer needed for these purposes, we may destroy or permanently de-identify this personal information.

Note the use of the word “may”

 

[NM]

The law does not require them to delete it - and must be retained for at least 7 years as it’s health and financial records. More than 10 is poor form but 7 years after they stopped providing service to you is the minimum.

Read Medibank Private’s own policy:

When and how we dispose of your personal information​

We seek to keep your personal information for only as long as it is required in order to provide you with products and services or to legitimately comply with our business and legal obligations and requirements. When it is no longer needed for these purposes, we may destroy or permanently de-identify this personal information.

Note the use of the word “may”

I believe that health records for children must be retained for 7 years after they turn 18, so could be required to be retained for up to 25 years, by law. Not sure if this applies to all states, but I believe it is the case in Queensland.

However, this is the requirement for the medical practitioner and not for the health insurance company.

 

[antycbr]

I believe that health records for children must be retained for 7 years after they turn 18, so could be required to be retained for up to 25 years, by law. Not sure if this applies to all states, but I believe it is the case in Queensland.

However, this is the requirement for the medical practitioner and not for the health insurance company.

Insurers will just retain the information claiming its “fraud prevention” - as I indicated the system is the wrong way around at the moment. Computer storage is cheap and effectively limitless, so most organisations can think of any number of business justifications to keep data indefinitely, eg marketing, fraud prevention, analytics/trending, and efficiency. It costs time and money to make decisions to delete things.

It used to be the low risk option, but keeping data too long is now the high risk option.

 

[jase05]

New Velocity number just arrived.
Now to link all the partners

 

[RadioBusinessTraveller]

A few teething problems with my new Velocity number.

No upcoming flights in there including a flight on Thursday….



Plus when you try to enter your booking ref details to retrieve flight...nothing. Even after changing booking to new Velocity number.




Will be interesting to see how this plays out.

 

[eastwest101]

While you may say zero right, often they are compelled by law to retain these records. E.g. mobile telephone records are retained for anti-terrorism and anti-money laundering. Private health records for calculating and auditing the lifetime calculations for the medicare levy surcharge.

It also requires a cultural change - people get fired for deleting things generally, so people are cautious. We need to flip that around and make people accountable for not deleting things.

Thats a salutory lesson in unintended consequences in legislation there isn't it? Think of the unintended consequences of the lifetime calculation that goes into the medicare levy surcharge i.e. the "punishment" for not having private health insurance above a certain income level. Similarly the unintended consequences of anti-money laundering, and anti-terrorism laws, with retention of info by banks and telco companies. All well-intentioned laws drafted with no regard to privacy and security considerations.

You make a good point about a bit of "mission creep" inside organizations about their internal decisions as to whether to keep old data or not, and its the cheaper/lazier approach to retain data, rather than actively seek old data and delete it. I guess a lot of legacy IT systems make it difficult to update and delete old data, but the ideal solution would be to have no legacy systems and have all personnel data collected have metadata with an "expiry date" where the data is auto deleted past expiry. Then it would just be a case of implementing an IT policy as needed. This would also be a massive wake-up call to companies who outsource their data/IT capabilities and although we haven't got the full story yet it interesting that most of the high profile breaches at Optus and Medibank might have been breaches that occurred within Australia? The other point of weakness must be the practice of data backups where the whole IT industry is geared towards the systems and data being periodically backed up and able to be restored if something goes wrong with a server or someone digs up a cable somewhere on a construction site.

God help us if one of the major government databases, such as a state drivers license database, or say the ATO ever get hacked or indeed one of the IT giants such as Google/Apple or Microsoft ever get hacked. Certainly health records, bank records and phone operating systems/IT/Telco records are the high profile targets at the moment because they often contain critical parts of the "keys to the kingdom" for most users.

 

[Bagpuss]

Can you point me to the LAW that say they need to retain such data on us?
'

Simply put, there is no law requiring any company to delete or destruct data.
Companies will have their own policies on what they may do with your data.
There's various laws about retaining data for a period of time, but nothing about deleting or destructing.

To be clear : there is no law requiring any company to delete or destruct data.

 

[Oubline]

Changing the linked partners isn’t the smoothest.

I have my new Velocity number but so far haven’t been able to de-link my old number from Krisflyer (it errors out), and can’t add the new number while an active link is there.

Interestingly Virgin haven’t included any information on whether we need to update the Velocity number Medibank has on hand for us!

 

[MARTINE]

Simply put, there is no law requiring any company to delete or destruct data.
Companies will have their own policies on what they may do with your data.
There's various laws about retaining data for a period of time, but nothing about deleting or destructing.

To be clear : there is no law requiring any company to delete or destruct data.

What you can complain about

www.oaic.gov.au

Actually companies with turnover of over $3m must comply with Australian Privacy Act 1988 administered by OAIC.

It is specific that only your data relevant to the company use can be kept.

There is also legal right for us to get access to all data a company keeps on us(in general unless CinC of which my date of birth is not)

Therefore, if data is kept which is not fulfilling the regulatory requirement it can be deleted and we can ask for it to be

I worked as a doctor so medical records etc have stipulated requirements

That is not what we are talking about here where data is kept despite someone not being a Client of a company anymore Or the data is kept for an irrelevant purpose.

Surely this should trigger an onus on the company as per the Act to notify why and if such data is still kept for VALID reasons if such exemptions exist ie terrorism

Actuarial information is a commercial endeavour and not a valid reason to keep individual data.

 

[Bagpuss]

[Therefore, if data is kept which is not fulfilling the regulatory requirement it can be deleted and we can ask for it to be

And when it's deleted it's kept on backup for 7 years .....
Plus when it's deleted it's likely not be be fully deleted, the backend database just had a deleted flag next to it, it's not visible but still exists. (Staff member presses delete, but an IT system administrator can open the database and see the data with the mark for deletion flags)


The outcome is this is all going to change with better legal requirements and there will be a massive cost to encrypt the data (not the drive of the data, but the actual data) and delete / purge data properly and fully.

But this is all way off topic

 

[antycbr]

And when it's deleted it's kept on backup for 7 years .....
Plus when it's deleted it's likely not be be fully deleted, the backend database just had a deleted flag next to it, it's not visible but still exists. (Staff member presses delete, but an IT system administrator can open the database and see the data with the mark for deletion flags)


The outcome is this is all going to change with better legal requirements and there will be a massive cost to encrypt the data (not the drive of the data, but the actual data) and delete / purge data properly and fully.

But this is all way off topic

Written like someone who deals with systems. Upvote from me!

 

[MARTINE]

Well
As expected just got the useless Medibank email advising my details have been released on the dark web! I can contact beyond blue!!

 

[MARTINE]

I am aware under the Velocity FF thread the issue of Medibank hack is being discussed with those relevant implications.
However - and mod pls forgive if new thread not appropriate - I would welcome AFF community input/support
I got ‘the email’ regarding my personal data being released today.
My biggest gripe is that the first thing I was directed to do by MP was change my password (again).
Attempts to to this did not work on either app or online account.
Directed to chat function where they requested ALL IDENTIFYING details (hello hacker) then said sorry tech issues.
Used the forgot password - managed to change my password but no data about me in my file - except my dashboard.!!
App states there are technical glitches currently on MP website - what is my data being downloaded as we speak?
The links MP send in the email to me are totally useless information I have already (don’t click on Phishing links!.. as if).
I don’t need mental health support but clear useful actionable information (not clicking on links in an email — the irony)
I am now hunting for a new health fund and will be demanding all my data from MP.
Have already changed all passwords, medicare card, limits on accounts and transactions from CC online (will unblock when I need to use)
Anyone else suggest anything I can do or need some support in this mess?
Thankyou for listening.

 

[Cossie]

I received a similar email, I will change our passwords and consider options.
I have been with them since I joined the HIC (who ran Medibank) in 1986.
Can’t complain about their service when it comes to hospital stays, I think with the boss we have had our monies worth over the last few years.
However some rebates are less than stellar, so decisions to be made. We are at the age where we will need more maintenance, so I am not going to rely on the public system.
I also bought a few shares, they have dropped in value but I have more than recovered their initial purchase cost with dividends, so not really worried if they continue to fall.

Unable to change my password online, maybe the system is clogged.

 

[bussyboy]

I thought passwords weren't breached, therefore, why bother changing?

 

[Cossie]

I thought passwords weren't breached, therefore, why bother changing?

The email actually says to update your password to a ‘strong’ one, my mistake.