NewsBite

Advertisement

This was published 1 year ago

After a disastrous hack, will customers forgive Medibank?

By Colin Kruger

At the start of 2022, Medibank Private was showing the private health insurance sector the way to a brighter future with consecutive quarters of policyholder growth and a flash marketing campaign that had investors singing its praises.

Then, the unthinkable happened.

Sensitive Medibank customer data was leaked onto the dark web.

Sensitive Medibank customer data was leaked onto the dark web.Credit: Getty Images / Louise Kennerley

Hackers gained access to the company’s systems last October, wreaking havoc.

While they failed to lock up Medibank’s computers for a quick ransom play, the criminals gained access to nearly 10 million former and current customers, and proceeded to release sensitive data to the dark web when the company refused to pay a $US10 million ransom demand.

The company lost close to $2 billion in market valuation in one day as the seriousness of the situation became apparent, but sentiment has rebounded strongly this year.

Loading

The stock, which crashed more than 20 per cent, from $3.50 to below $3, at the peak of the hack frenzy last year, is back above $3.30. It’s almost as if nothing happened.

But with an investigation by the Office of the Australian Information Commissioner (OAIC) underway, as well as multiple class actions on behalf of investors, can the market really trust that the worst is behind the stock despite the remarkable recovery this year?

Industry: Health

Advertisement

Main products: Private health insurance

Key figures: Despite the damaging attack, David Koczkar remains the company’s chief executive, a role he has held since May 2021. Mike Wilkins is the company chairman.

Medibank faced a class action in the Federal Court over the damaging cyber attack.

Medibank faced a class action in the Federal Court over the damaging cyber attack.Credit: Kara Lau

How it started: Medibank started as a government-owned not-for-profit insurer in 1976, before being converted to a for-profit corporation in 2009 and privatised in 2014 with a listing on the ASX at $2 a share.

How it’s going: Medibank was among the leaders in attracting new policyholders to the industry, including younger members when the cyberattack stopped the private health insurer in its tracks.

Remarkably, the company’s December half-year results, released last month, shows that customers managed to quickly shrug off concerns about the massive privacy breach and help it return to a path of policy growth.

The bull case: Medibank added 200 new policyholders in the first 18 days of February, reversing a net exodus of 13,000 policyholders in the December quarter in response to the damaging cyber incident. The opening of international borders has been the big growth driver with Medibank’s international policyholder numbers up 33,400 for the December half year.

Medibank boss David Koczkar.Credit: Luis Enrique Ascui

Medibank has been confident enough to forecast a return to its previous trajectory of gaining market share over its rivals. The stock, which dropped more than 20 per cent to sit below $3 in October – as damage from the cyberattack became clearer – is now trading around the $3.30 mark.

Analysts think Medibank is in a sweet spot. Customers are signalling there is little brand damage from the cyber incident, and the half-year results also showed fatter profit margins with the group reaping the benefits of price increases which is keeping ahead of expense growth from policyholder health claims.

“We think it is increasingly more likely that the claim cost savings that began during the pandemic will stick,” says Morningstar.

Loading

Koczkar says that rising interest rates and cost of living concerns are not a big issue either with its customers seeing private health insurance as a necessity.

“Our customers see private health insurance as essential. They’re looking to cut back elsewhere if they are impacted. Things like Netflix, or, changing the supermarket buying patterns or, travel,” he says.

JP Morgan’s Siddharth Parameswaram agrees and put a price target of $3.55 on the stock, which is more than where it was trading before the incident.

“The cyber impacts appear to be dissipating, and the stock may have defensive appeal in an environment of higher interest rates,” Parameswaram says.

The bear case: There is no ignoring the big bear in the corner. The immediate costs of the cyber incident are clear – costs like customer support and beefing up its cybersecurity are expected to be as much as $45 million for the full year.

But the OAIC report will land soon enough and could trigger significant compensation payments for customers – including hundreds of thousands who had sensitive health data accessed by the criminals.

The OAIC will focus on whether Medibank took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.

Then there is the independent report by Deloitte which could also trigger departures if it finds Medibank’s response lacking.

Analysis from Bloomberg Intelligence says the cyberattack could cost Australia’s biggest insurer up to $700 million, including hefty IT investment. It won’t be the only cost either.

“New Australian data-privacy laws, fast-tracked after a slew of cyberattacks, raise the regulatory risk for companies in all sectors,” Bloomberg Intelligence says.

Loading

Even the most bullish analysts like Morningstar concede it is a big unknown. The broker says litigation and penalties are likely but remain difficult to quantify.

  • Advice given in this article is general in nature and is not intended to influence readers’ decisions about investing or financial products. Investors should always seek their own professional advice that takes into account their own personal circumstances before making any financial decisions.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning

Most Viewed in Money

Loading

Original URL: https://www.brisbanetimes.com.au/link/follow-20170101-p5c3b2