Private health insurer nib faces tough questions after displaying the personal details of its customers, including mobile numbers, email addresses and claims history, on its website in an accidental breach of confidential information.
Concerned nib customers notified the insurer of the problem on Monday morning. One also contacted Fairfax Media alarmed that private data was available, saying he was shocked at the detail.
He said he could still access the data half an hour after he alerted the company's call centre.
"I'm concerned somebody could look at my stuff. I'm worried about my privacy," he said.
Fairfax understands that customers, through their nib accounts, were able to see the names, birth dates, contact details, and claims history of other customers.
Between 10.33am and 11.35am on Monday, the data was available on nib's customer portal. A total of 329 customers accessed the online portal during this time.
The nib website was taken down briefly, presumably to address the issue.
A nib spokesman said once the insurer became aware of the problem it disabled the service immediately.
The spokesman said nib was working hard to contact all affected customers by telephone by Monday afternoon.
"nib can confirm that no credit card information of any customer was displayed. The cause of the issue has been identified and resolved and services restored," the spokesman said.
"nib apologises unreservedly to the customers affected by this issue. nib takes the privacy of our customers very seriously and has also taken the step to contact key stakeholders including our regulator and ombudsman."
Detailed records including other customers' treatment history were accessible via nib's website
The Office of the Australian Information Commissioner, which also houses the privacy commissioner, will be contacting nib to discuss the matter.
The Private Health Insurance Ombudsman is also likely to be investigating the breach.
"They've [nib] spoken to me and I'm aware of it," said Sean Gath, the chief executive of the Private Health Insurance Administration Council.
"They need to get it sorted as quickly as possible and give assurances to customers and I believe that is what they are doing."
One of Australia's biggest health insurers, nib provides cover to more than 1.1 million people in Australia and New Zealand.
Affected nib customers who spoke to Fairfax on Monday said they had not been contacted by the insurer. Some also said they were in the process of reconsidering their insurance provider.
"I was not aware, I would like to know what's going on," said one customer.
"We are actually in the middle of changing health funds."
Another said: "I want them to cancel my payment for the next year because I need to think about the insurance I need."
June is a key selling month for health insurers and policy lapse rates have been rising.
For example Medibank Private, the nation's biggest private health insurer, books about 20 per cent of its sales in June.
James Turner, an adviser at research firm IBRS, said the onus was now on nib to prove to its customers that the leaked data had not put them at risk. He said even innocuous-looking data leaked online could be used by hackers to build a detailed picture of individuals' lives and activities.
Details from one website breach could be married up and cross-referenced with data from an incident at a separate organisation, with serious implications for individuals ranging from personal embarrassment to identity theft.
"On the surface this may not look like a particularly serious breach, but we need proof to that effect in order to restore customers' faith," Mr Turner said.
"The trouble for nib in doing this is that they are on the back foot. They didn't notice the breach themselves and were alerted by a third party, so internally they will be scrambling to figure out what happened, and won't be anywhere near being able to give accurate information."
Shares in nib fell 0.6 per cent to $3.38 on Monday.
WITH PAUL SMITH.
