What happened to Medibank Private?

Medibank Private was a major Australian health insurance company that merged with another company to become what is now Medibank. The company has had data security issues where hackers stole personal information from millions of customers.

What Is the Issue with Medibank? The Data Breach, the Fallout, and What It Means for You

Q: Is the Medibank system down?

Medibank's systems go down sometimes for updates or technical problems, which can prevent people from accessing their accounts. You can check Medibank's website or call their support line to see if there's a current outage.

Q: Is Medibank a good insurance company?

Medibank is one of Australia's largest health insurance companies, but whether it's good depends on what you need and what other companies offer. It's worth comparing their prices and coverage with other insurers to find the best fit for you.

Q: Why can't I login to Medibank?

You might not be able to login because you forgot your password, the system is down for updates, or there's a technical problem. Try resetting your password or contact Medibank's customer service for help.

In October 2022, Medibank Private confirmed that the personal and medical data of 9.7 million current and former customers had been stolen by a criminal group. Names, dates of birth, Medicare numbers, policy details, and sensitive health claims data were all taken. Some of it ended up on the dark web.

It is one of the largest and most damaging data breaches in Australian history.

That is the core issue with Medibank. But the problems did not stop when the breach was contained. Customers are still dealing with login failures, trust issues, ongoing privacy concerns, and questions about what the company did wrong and what it is doing now. This article walks through all of it.

What Actually Happened to Medibank Private?

The breach started with stolen credentials. A criminal group used the login details of a Medibank IT contractor to access the company's internal systems. Once inside, they moved through the network and extracted a massive amount of customer data before anyone noticed.

Medibank initially told the public there was no evidence of a breach. Days later, the company reversed that position and confirmed the attack was far worse than first reported.

The hackers then demanded a ransom. Medibank refused to pay. In response, the attackers began publishing stolen data in batches on a dark web forum, including the health claims of customers who had sought treatment for sensitive conditions including HIV, mental health issues, and drug use.

The Australian Federal Police launched an investigation. The government attributed the attack to a Russia-based cybercriminal group. In 2024, Australia and its Five Eyes partners announced sanctions against one individual linked to the attack.

What made this worse than a standard data breach was the nature of the data. Health claims information is not something you can change like a password or a card number. It follows a person permanently. For people whose most private medical details were exposed, the harm is ongoing and real.

Is Medibank a Good Insurance Company Now?

Before the breach, Medibank was Australia's largest private health insurer with a reputation built over decades. After the breach, that reputation took serious damage.

Whether it qualifies as a good insurer depends on what you are measuring. On the product side, Medibank still offers a broad range of hospital and extras cover. Its policy options are comparable to other major insurers. Premiums sit in a similar range to competitors.

On the trust side, the picture is harder. The Australian Information Commissioner launched an investigation into whether Medibank failed to take reasonable steps to protect customer data, as required under the Privacy Act. In 2024, the Commissioner found that Medibank did interfere with the privacy of its customers and that the company's security practices fell short of what was required. Medibank has disputed some of those findings, and litigation is ongoing.

In my experience, when people ask whether Medibank is a good company, they are really asking whether they can trust it with their data. Right now, that is a fair question to sit with before making a decision.

Why Can't I Login to Medibank?

After the breach, Medibank forced a large number of customers to reset their passwords as a precaution. If your credentials stopped working around late 2022, that was likely the reason. The company also introduced additional authentication steps to make unauthorised access harder. Some customers found those new steps confusing, particularly older members who were less familiar with multi-factor login processes.

Outside of breach-related changes, Medibank's online portal and app have had technical issues at various points. The system does go down periodically for maintenance, and during peak periods there can be slowdowns or session errors that kick users out mid-login.

If you cannot log in right now, use the password reset function on the Medibank website. If that fails, calling Medibank directly is the most reliable option. Don't try to recover your account through any link sent in an unsolicited email or text message. Since the breach, phishing attempts targeting Medibank customers have increased significantly, and criminals have used the stolen data to make those messages look very convincing.

Is the Medibank System Down?

Medibank's systems are not permanently disrupted. The cyberattack in 2022 did not take the platform offline in the same way a ransomware attack might. The criminals extracted data rather than locking Medibank out of its own systems.

That said, Medibank does experience downtime. Scheduled maintenance windows are posted on the Medibank website. If you're having trouble accessing your account or submitting a claim online and you're not sure whether it's a personal login issue or a system-wide outage, checking the Medibank status page or searching for recent reports on services like Downdetector will give you a quick answer.

Persistent access problems that aren't linked to a known outage are worth reporting directly to Medibank, especially if you suspect your account may have been accessed without your knowledge.

What the Breach Exposed About Private Health Insurance Security

One of my clients went through the Medibank breach as a customer. She found out her data had been taken from a news article, not from Medibank directly. By the time she got a letter from the company, she had already spent hours trying to figure out what had been exposed and what to do about it.

Her frustration wasn't just about the breach itself. It was about being left in the dark while a company held some of her most sensitive information.

That experience points to something most articles about the Medibank breach miss. The issue isn't only what happened technically. It's what the breach revealed about how private health insurers have treated data security as a back-office cost rather than a core responsibility.

Health insurance companies hold what is arguably the most sensitive data a person generates. Medical history, mental health records, reproductive health claims, drug treatments. Under Australia's Privacy Act, companies that hold this kind of information are required to take reasonable steps to protect it. The investigation findings suggest Medibank did not meet that standard.

The entry point was a single set of contractor credentials. There was no multi-factor authentication required for that account. A basic security control that most organisations have considered standard practice for years wasn't in place on a system that held nearly ten million people's health records.

What Medibank Did and Did Not Do After the Breach

Medibank offered all affected customers free identity monitoring services through IDCARE, Australia's national identity and cyber support service. It set up a dedicated support line. It committed to covering certain costs for customers who suffered direct financial loss as a result of the breach.

What it did not do was pay the ransom, which is consistent with Australian government advice. What it also didn't do initially was give customers a clear, fast picture of exactly what data had been taken about them personally. The generic breach notifications that went out left many people unable to answer the most basic question: was my sensitive health information in what was stolen?

Class action lawsuits were filed on behalf of affected customers. Those cases are working through the courts. The outcome will likely shape how Australian companies approach data breach liability for years to come.

What This Means for Anyone With Private Health Insurance

Medibank is the largest example, but it's not the only private health insurer to have faced a security incident. The sector as a whole holds enormous amounts of sensitive data with varying levels of security maturity.

There are a few things worth doing regardless of who your insurer is. Check whether your insurer has multi-factor authentication available for your online account and turn it on if it does. Use a unique password for your health insurance login that you don't use anywhere else. If you haven't changed your Medibank password since 2022 and you're still a customer, change it now.

If you're a former Medibank customer who cancelled before the breach, your data may still have been in the stolen records. Medibank held historical customer data going back years. Being a past customer doesn't mean your information was safe.

Watch for phishing attempts that use your name, policy details, or health information to seem credible. If a message about your Medibank account asks you to click a link to verify your identity or claim a reimbursement, go directly to the Medibank website instead of using any link in the message.

The Bigger Picture: Critical Infrastructure and Privacy Law

The Medibank breach fed directly into a national conversation about how Australia protects critical infrastructure. Private health insurance companies handle data that affects public health, national security assessments, and individual wellbeing at scale. Yet the regulatory framework around data security for these companies had significant gaps.

Following both the Medibank breach and the Optus breach that happened weeks earlier, the Australian government moved to strengthen the Privacy Act. Proposed reforms include higher penalties for serious or repeated privacy breaches, stronger individual rights to access and correct personal information, and a new right to opt out of certain types of data processing [1].

The Office of the Australian Information Commissioner also has more resources directed toward enforcement. The era of a data breach resulting in a strongly worded letter and no real consequence is ending, at least on paper. Whether enforcement keeps pace with the scale of risk is a question the next few years will answer.

Frequently Asked Questions

Was my data definitely stolen in the Medibank breach?

If you were a Medibank or ahm customer at any point before October 2022, your data was likely in the compromised systems. Medibank has a tool on its website where you can check whether your information was confirmed as accessed. If you're unsure, contact Medibank directly and ask them to tell you specifically what data of yours was involved.

Can I sue Medibank over the breach?

Class action litigation is underway in Australia on behalf of affected customers. You can register your interest with the law firms running those actions. Individual legal claims are also possible in principle, though proving specific financial or personal harm is required.

Should I switch health insurers because of this?

That depends on your specific cover and circumstances. Switching health insurers doesn't erase the breach or reduce the risk from data that's already been exposed. What it might address is your confidence in the company going forward. Compare policies carefully before switching, because continuity of cover rules mean changing insurers can affect waiting periods for certain treatments.

What should I do if I think someone is using my stolen Medibank data?

Contact IDCARE on 1800 595 160. They're Australia's national identity and cyber support service and they provide free help to people affected by data breaches. Report any financial fraud to your bank immediately and to the Australian Cyber Security Centre at cyber.gov.au.

Is ahm affected by the Medibank breach?

Yes. Ahm is owned by Medibank Private. Customer data from both brands was compromised in the same attack.

What to Do Now

The Medibank breach happened. The data that was taken cannot be taken back. What you can control is how you respond to it.

Update your Medibank password today if you haven't already. Enable multi-factor authentication on your account. Register with IDCARE if you want support navigating the identity risk. Check the class action registration options if you want to be part of any legal outcome.

And if you're shopping for private health insurance and weighing your options, visit ptna.com.au to compare cover from providers across the market with help from advisers who understand both the products and the privacy landscape they operate in.

The question of what is the issue with Medibank has a long answer. The short version is that a company holding the most sensitive health data of nearly ten million Australians wasn't protecting it the way it should have been. That matters whether you're still a customer or not.

About the author

Armstrong Lazenby

BSc (Human Nutrition) registered nutritionist. Bachelor of Science (Exercise Science major) Master of Sports Medicine.

Connect on LinkedIn →