Medibank customer data hack could cost up to $150m, according to expert
Medibank is going to foot a hefty bill as remedy needs, class actions and ransom demands spiral out of control following the breach of its customer data.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
An expert has warned that the Medibank cyber security breach could cost the company a whopping $150 million.
It’s the latest piece of bad news for Medibank following the hack of its customer data, which has seen the ASX-listed company pause trading for a week and then dive to a 17-month low of $2.95 when it reopened on Wednesday morning.
Earlier this week, Australians were hit by the revelation that the private health provider didn’t have cyber security insurance.
As a result, Medibank estimated the cyber crime event will come at a cost of between $25 and $30 million for investors.
But in an emailed note, UBS analyst Scott Russell warned that the figure would be much higher, per The Australian.
“We believe additional costs are likely to be incurred from further potential remedial work, class actions, and possible regulatory fine and ransom demands,” he wrote. “A downside scenario would also include potential brand damage, prolonged market share loss, and a structurally higher IT cost base.”
In all, he estimated $150 million was a more accurate guess for the fallout of Medibank’s catastrophic cyber crime event.
Earlier this week, it emerged that all Medibank’s customer personal data was exposed to cyber criminals along with “significant amounts” of health claims.
The scandal now threatens to eclipse the recent Optus breach, with 3.9 million customers potentially affected at Medibank.
The hacker behind the data theft had access to “all ahm customers’ personal data and significant amounts of health claims data, all international student customers’ personal data and significant amounts of health claims data, and all Medibank customers’ personal data and significant amounts of health claims data”, according to the company.
While it was initially believed it was only customers with ahm and international students policies, the insurance company has now said all customers were impacted by the hack.
The hacker has accessed very specific claims data which could include the medical conditions customers have been diagnosed with and treatment they were prescribed.
This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
Medibank, which is Australia’s largest health insurer with a larger than 27 per cent market share, has announced a support package for affected customers.
The support includes a hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of the crime, access to Medibank’s mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for reissue of identity documents that have been fully compromised in this crime.
But it’s not enough, according to Mr Russell, who thinks more offers of support to customers, class actions and government fines will turn the data breach into a $150 million error.
Mr Russell warned that new customers would not be swarming to join Medibank after the latest saga as it had added to “broader consumer perceptions of value for money in Medibank products”.
He predicted a “zero policy holder growth in the near term” but this would go back to 2 per cent a year over the next 18 months.
— With Alexis Carey and wires
Have you been impacted? Contact alex.turner-cohen@news.com.au
Originally published as Medibank customer data hack could cost up to $150m, according to expert