Medibank faces $150m damage bill, class actions and higher IT costs from hack, analysts say

Australia’s biggest health insurer is expected to pay up to four times in remediation costs than it originally forecast following a ‘painful’ cyber attack, according to analysts.

Jared Lynch

@jaredm_lynch

3 min read

2:28PMOctober 27, 2022.

Updated 7:34PMOctober 27, 2022

The Australian Business Network

Data of all Medibank customers comprised in cyber-attack

The damage bill from Medibank’s cyber attack could hit $150m – more than four times the figure the health insurer estimates – with the company facing potential class actions, according to modelling from equities analysts.

On Wednesday, the company confirmed personal data of its 3.9 million policyholders – and potentially millions of former customers – had been exposed.

Scott Russell, a UBS analyst, forecast three scenarios on how the breach will hit the company. “We believe additional costs are likely to be incurred from further potential remedial work, class actions, and possible regulatory fine and ransom demands,” Mr Russell wrote in a note to investors. “A downside scenario would also include potential brand damage, prolonged market share loss, and a structurally higher IT cost base.”

On Thursday, the health insurer the hack had also exposed personal information of patients in its My Home Hospital system.

Medibank runs the service in partnership with not-for-profit hospital operator Calvary on behalf of Wellbeing SA and the South Australian government.

“It has become clear overnight that the criminal has accessed patient information relating to My Home Hospital,” the health insurer said in a statement.

“While Medibank has not yet determined if the data has been illegally taken from our system, we know it has been accessed.”

Medibank’s market value slumped about $1.7bn on Wednesday – after it emerged from a seven-day suspension – as hackers linked to a Russian criminal group threatened to expose the records and other sensitive information of millions of Australians.

Medibank shares rose 0.5 per cent, or 1.5c, on Thursday after beginning trade lower to close the day at $2.88. They are down 16 per cent since December 31.

Under Mr Russell’s downside scenario, remediation costs would total $150m – compared with between $25m and $30m Medibank forecast on Wednesday – while its shares would fall to $2.72. Meanwhile, policyholder growth would drop 4.3 per cent.

Medibank has withdrawn its policyholder growth guidance, citing the uncertainty of the attack, and after saying previously that it did not expect the breach to derail its earnings forecasts. It will now update investors when it releases its next set of financial results in February.

Medibank is expected to pay up to four times in remediation costs than it originally forecast following a ‘painful’ cyber attack. Picture: Stefan Postles/AAP Image

Mr Russell expects Medibank – which is Australia’s biggest health insurer with more than 27 per cent of the share – to halt its policyholder growth momentum. But he said market share erosion would be less than 5 percentage points, citing his base case. This scenario would still have Medibank paying hefty remediation costs – about $85m – but its share price would bounce to $3.70.

“Whilst we are anticipating some share loss to result, no we don’t expect market share loss to this extent. This reflects our view of the Medibank brand strength, careful customer handling and broader consumer perceptions of value for money in Medibank products,” Mr Russell said.

“Despite these optimistic views, we are nonetheless allowing for zero policyholder growth in the near term, grinding back towards 2 per cent per annum over the next 18 months.

“This is in the context of a buoyant industry with improving (private health insurance) participation. Our base case forecasts roughly assume 1-2 percentage points of market share loss over the next three years.”

In Mr Russell’s upside scenario, which includes remedial costs of $30m – within the range Medibank suggested – the insurer’s shares would rise to $4.18.

He said he expected Medibank to sustain margins of more than 7.5 per cent during the next three years.

“This would compare with Medibank net margin averaging 7.4 per cent since IPO in 2014.

Morningstar analyst Nathan Zaia described the steep fall in Medibank’s share price on Wednesday as an “over-reaction” and but he expects the insurer to pay higher remediation costs than it had estimated. “Customer remediation, regulatory penalties, and potential litigation costs are even more difficult to forecast given there is no real precedence, we have allowed $100m in related costs in fiscal 2024 – though it may take longer for these to resolve,” said Mr Zaia, who values the company at $3.30 a share.

“With such a large data breach of sensitive information there is a real cost of supporting customers – from customer communication and taking inbound calls, mental health support, covering costs of identity monitoring services from third parties, and reissuing identity documents where necessary.”

Mr Zaia is expecting Medibank not to experience any further policyholder growth this year following the attack.

“We have lowered our fiscal 2023 and 2024 policyholder numbers by about 2 per cent. We assume 0.7 per cent growth in fiscal 2023 which is essentially the new customer wins before the cyber incident occurred,” he said.