Medibank has admitted that the personal data of some of its customers — including names, addresses, Medicare numbers and phone numbers — has been stolen in a cyber attack.

In a statement, the company said the criminal group allegedly responsible had claimed that 200 gigabytes of data had been stolen and that it would be reaching out to affected customers to let them know and what to do next.

“The criminal

has provided a sample of records for 100 policies, which we believe has come from our ahm and international student systems,” it said.

“That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.”

It said the claims data involved where the medical service was and the codes that related to their diagnosis and procedures.

“The criminal claims to have stolen other information including data related to credit card security, which has not yet been verified by our investigations,” it said.

Medibank said it understood the development was upsetting and that it expected the number of affected customers to grow as the incident continued.

Earlier this week, Medibank said it had been contacted by a group that claimed it had removed customer data and wanted to negotiate with the company, but investigations were ongoing to work out if the claim was true. 

More to come.