Medibank hit with shareholder class action after Russian hackers infiltrated customer database

Already faced with a $150m clean-up bill, Medibank is facing a class action from shareholders after last year’s cyber attack hammered its share price by more than 18pc.

Jared Lynch

@jaredm_lynch

2 min read

4:30PMJune 29, 2023

The Australian Business Network

Medibank CEO David Koczkar has apologised to customers and says the health fund remains well capitalised. Picture: NCA NewsWire / Nicki Connolly

Australia’s biggest health insurer, Medibank, has been hit with a fresh class action after Russian hackers stole the health records and other personal information of 9.7 million of its customers last year.

But rather than representing customers, law firm Phi Finney McDonald says it is seeking to recover losses suffered by Medibank investors after the company’s share price dived more than 18 per cent following the attack.

Phi Finney McDonald principal lawyer Cameron Myers has accused Medibank of engaging in misleading and deceptive conduct and breaching its continuous disclosure obligations about the “adequacy of its privacy and information security protections”.

It comes two days after the Australian Prudential Regulation Authority ordered Medibank to hold an extra $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, as fallout from the nation’s largest data breach widened.

“Medibank’s customers and shareholders quite rightly expected the company, as one of Australia’s largest private health insurers, to take adequate steps to protect the incredibly sensitive information that it held. Indeed, Medibank fostered this belief by informing the market that it had appropriate protections in place,” Mr Myers said.

“The market was clearly concerned about the distress and related impact on customers whose data had been accessed, and what that meant for company costs and revenue.

“Based on our preliminary investigations, we believe that Medibank shareholders are entitled to be compensated for losses suffered from the erosion of trust and confidence in Medibank once the true state of affairs was acutely exposed.”

Mr Myers said from market close on October 19 last year when Medibank entered a trading halt, to October 26 when the suspension was lifted, its share price dropped more than 18 per cent after details of the breach were released.

The class action, lodged in the Victorian Supreme Court, is seeking compensation for shareholders that suffered losses as a result of Medibank’s alleged disclosure failures. It is separate to the privacy litigation brought by Medibank customers whose personal and health information was breached.

On Tuesday, APRA announced it would impose an increase in Medibank’s capital adequacy requirement of $250m, reflecting “weaknesses” identified in the health insurer’s information security environment.

The capital adjustment, effective from July 1, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework and will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.

Medibank is already facing a $150m damage bill from the cyber attack’s fallout, including potential class action settlements, according to analysts. Medibank chief executive David Koczkar has apologised repeatedly for the attack and has been co-operating with cyber security and law enforcement agencies.

Mr Koczkar said on Tuesday that “safeguarding customer data is a responsibility Medibank takes very seriously”.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.

“Our company remains strong and well capitalised.”