Medibank has confirmed that the details of almost 500,000 health claims were stolen, along with personal information, after the group hacked into its system last month.

Loading

No credit card or banking details were accessed.

Australian Federal Police Commissioner Reece Kershaw named Russia as the home of the hacking group on Friday, with this masthead revealing that authorities believed the notorious REvil group was involved.

Medibank faces a fiery annual meeting where shareholders get to question the board members and executives about the attack, which resulted in hackers drip-feeding customer data after the company refused to pay a $US10 million ($15 million) ransom.

Proxy investment advisers ISS and CGI Glass Lewis are telling investors to support all resolutions at the meeting, including the remuneration report and performance incentives for Koczkar. He received more than $2 million worth of short-term incentives and performance rights as part of his remuneration of $3.76 million last year.

However, while CGI Glass Lewis has recommended all directors be re-elected on Wednesday to ensure the group has a stable board to respond to “rapid developments”, it flagged that board renewal and executive scalps may be needed over the coming year and raised the spectre of executive pay “clawbacks” to account for any shortcomings that allowed the attack to be so damaging.

“It may be the case that in due course, the board and executive team will require renewal to a) bolster its skills and knowledge of cybersecurity and b) show accountability for the loss of privacy to its customers and the loss of value to Medibank shareholders,” said CGI.

As the damage to Medibank customers grows, so does the potential payout from any class action launched against the group.

Law firm Maurice Blackburn confirmed it was reviewing whether customers affected by the hack could be entitled to compensation.

The firm’s principal lawyer, Andrew Watson, said the breach of data was one of the most serious seen in Australia.

“Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” he said.

“Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers.”

Bannister Law Class Actions and Centennial Lawyers launched class action last week and said it is already being inundated by Medibank customers.

“Some individuals are literally living in fear for their lives if their addresses are made public, others live in fear of public ridicule, the loss of their employment and relationship break-ups if their sensitive medical information is made public,” Bannister said.

Loading

“Others are at risk of being blackmailed if their HIV Status or other health information is made public. Some of Medibank and AHM’s clients will be police or security officers who are at great personal risk if their personal details and the details of their close family members become public.”

Home Affairs Minister Clare O’Neil has flagged it could soon be illegal for companies to pay ransom demands to hackers should they be subject to a data breach.

“The way we’re thinking about the reform task ... is a bunch of quick wins, things that we can do fast, and the standing up for the new police operation is one of those,” O’Neil told the ABC’s Insiders on Sunday.

“There’s some really big policy questions that we’re going to need to think about and consult on, and we’re going to do that in the context of the cybersecurity strategy.”

She also hinted that both Optus and Medibank fell short in their cybersecurity efforts.

“I think what we saw with Optus and Medibank is two Australian companies that hold very personal information about Australians, and that means they owe big obligations to Australians to protect that information,” O’Neil said.

“And in both of those instances, the proof is in the pudding that the information did get out and that tells us that proper protections weren’t in place.”

Support is available from Beyond Blue on 1300 22 4636 and Lifeline on 13 11 14.