Medibank loses 13,000 customers from cyber attack but profit up
Medibank has revealed a faulty firewall allowed the biggest cyber assault in Australia’s history, sparking an exodus in customers that is only now starting to turn.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
A dip in policyholders is expected to be short-lived for Medibank after it became the target of Australia’s biggest cyber heist, with chief executive David Koczkar saying the health insurer will return to pre-attack growth levels before the end of this financial year.
The company lost almost 13,000 out of about four million policyholders in the December quarter – and for the first time revealed how the cyber criminals infiltrated its network, with a “misconfigured” firewall partly to blame.
But Mr Koczkar said policyholder exits had slowed in January and had returned to growth this month.
The company halted spending on marketing and customer retention after Russian hackers accessed its policyholder database, diverting resources into the cybercrime’s massive clean-up.
“As we reinstate these normal activities, it’s giving us confidence to resume that normal rate of growth,” Mr Koczkar said.
“Our expectations for the full year is that we’ll grow by 0.5 to 0.75 basis points. What that means is in the fourth quarter of this financial year we’ll get back to similar sorts of growth rates that we had in Q1 before this cyber event.”
The company’s shares surged 6.5 per cent to $3.28 on Thursday, giving it a market value of $9.03bn. Analysts said Medibank’s customer loss rate from the cyber attack was less severe than expected while its earnings outlook looks robust.
Medibank has so far spent more than $26m strengthening its cyber defences and for the first time has revealed how Russian hackers accessed its database of more than nine million current and former customers.
At the height of the cyber heist, attacks on Medibank soared from about 10 million to 80 million a day. It is now fending off around 18 million a day.
It comes as Medibank’s interim net profit jumped 5.9 per cent to $233.3m, while revenue firmed 1.3 per cent to $3.63m.
The company revealed that the cyber criminals used a stolen Medibank username and passwords that were used by a third party IT service provider.
It then gained access to Medibank’s network via a “misconfigured firewall”, which did not require an additional digital security certificate.
After Medibank refused to pay a $15m ransom, the hackers published the medical and claims data of policyholders on the dark web, most of which was difficult to understand.
Barrenjoey head of insurance Andrew Adams said “the core resident policyholder loss was not as severe as expected and the outlook looks in line or above consensus expectations”.
Citi meanwhile said: “The policyholder growth in February also looks positive, although we remain a little wary of a further wave of criminal activity.”
Medibank’s core health insurance business revenue rose 2.2 per cent to $3.54bn. Meanwhile, total claims paid increased 0.5 per cent to $2.9bn.
“The resident health insurance market remains buoyant, with growing numbers of younger adults and those taking out cover for the first time despite the challenging economic conditions,” Mr Koczkar said.
“We expect resident policyholder growth approximately 0.5-0.75 per cent, assuming recent trends continue and a modest decline in industry growth rate in FY23 relative to FY22.
“While our short-term focus is on regaining momentum in our core resident business, our strategy to grow as a health company has not changed.”
Medibank’s deferred claims liability, which is in recognition of claims that have likely been postponed since the beginning of pandemic restrictions, fell $36.7m to $411.6m.
“This was due to the impact of lapsed customers and the expiration of Medibank extras limits. Due to resident claims being below our expectations and the absence of government restrictions on hospital admissions, claims deferral was ceased from June 30, 2022,” the company said.
“Gross margin increased 100 basis points to 16.4 per cent and underlying gross margin increased 50 basis points to 15.3 per cent. This was due to a 10 basis point increase in the resident business underlying gross margin, and favourable tenure and mix impacts in the non-resident business.”
Revenue for Medibank Health – which includes its telehealth, hospital joint ventures and other medical services – dived 22.5 per cent to $92.8m. The division’s profit sagged 4.3 per cent to $24.6m.
“Despite reduced Covid impacts on Medibank Health this period compared to prior periods, the homecare business continued to be impacted by subdued private hospital admissions and higher labour costs, and telehealth was impacted by the transition out of the 1800RESPECT and Beyond Blue contracts in 2H22,” Mr Koczkar said.
“Excluding the impact of the contract transitions, operating profit increased 14.6 per cent and segment profit increased 7.4 per cent.”
Net investment income jumped nearly 81 per cent to $55.9m, with the company attributing the gains to higher interest rates and narrowing credit spreads.
Medibank will pay an interim dividend of 6.3c a share, fully franked, on March 22.
More Coverage
Originally published as Medibank loses 13,000 customers from cyber attack but profit up
Building tomorrow: How Australia can thrive as global population explodes
The global population could soar to 11 billion by 2100, bringing enormous opportunities for Australia’s resources and skills, writes Bernard Salt.
China, India to drive record coal demand
Global coal production reached a record in 2023, powered by growth in China, India and Indonesia.