Medibank overhauls leadership, focusing on tech and reputation after cyber attack
Faced with customer and shareholder class actions after last year’s cyber attack, Australia’s biggest health insurer has overhauled its executive team.
Medibank has created a new data management executive role and “dedicated customer trust team” – 10 months after a disastrous cyber attack – as part of a broader management overhaul.
The position – which is yet to be filled – will have a “dedicated focus on technology, data management and core platforms”. An external recruitment process has begun with senior executive of core Medibank customer systems Kylie Williamson acting in the role.
Late last year, Russian cyber criminals hacked into Medibank’s customer database of almost 10 million policyholders, and published health records and other sensitive information – such as pregnancy terminations and mental health conditions – on the dark web.
The company, Australia’s biggest health insurer, is now facing several customer and shareholder class actions, and a clean-up bill of about $150m.
Medibank will also create a new executive role managing “policy, advocacy and reputation” with corporate affairs boss Meaghan Telford appointed to the position. It will also expand the role of the chief customer officer and create another new position “group lead – digital & ventures”.
Chief executive David Koczkar said the changes would ensure the focus and leadership of the organisation continues to evolve to meet the needs of its customers and a changing health system.
“As an organisation we are working hard to continue to meet the needs of our customers, while ensuring that we are contributing to improving health access and outcomes for people in Australia,” he said.
“We know that digitisation has a big role to play in the future of health, and as a result we are introducing a dedicated role to the executive leadership team in this space.
“We are also establishing a dedicated customer trust team. Customers expect more of the organisations they interact with, and we want to ensure we are meeting this challenge.”
Mr Koczkar said Ms Telford’s role recognised the “increasing role we play with health stakeholders in delivering more for the community”.
“Our strategy remains focused on delivering for our customers, and these changes will enable us to continue to best meet their needs in the future,” he said.
Phi Finney McDonald principal lawyer Cameron Myers – which is representing shareholders in a class action filed last month – accused Medibank of engaging in misleading and deceptive conduct and breaching its continuous disclosure obligations about the “adequacy of its privacy and information security protections”.
The action came two days after the Australian Prudential Regulation Authority ordered Medibank to hold an extra $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, as fallout from the nation’s largest data breach widened.
“Medibank’s customers and shareholders quite rightly expected the company, as one of Australia’s largest private health insurers, to take adequate steps to protect the incredibly sensitive information that it held. Indeed, Medibank fostered this belief by informing the market that it had appropriate protections in place,” Mr Myers said late last month.
“The market was clearly concerned about the distress and related impact on customers whose data had been accessed, and what that meant for company costs and revenue.”
The new executive team – with the changes effective from Monday – comprises Mr Koczkar as chief executive; Kylie Bishop, group Lead – people, spaces & sustainability; Rob Deeming, digital & ventures; Milosh Milisavljevic, chief customer officer; Mei Ramsay, trust legal & compliance and company secretary; Mark Rogers, chief financial officer; Meaghan Telford, policy advocacy & reputation; Kylie Williamson (acting), data and technology; Andrew Wilson, chief executive Amplar Health.
Last month, APRA announced it would impose an increase in Medibank’s capital adequacy requirement of $250m, reflecting “weaknesses” identified in the health insurer’s information security environment.
The capital adjustment, effective from July 1, will be applied to Medibank’s operational risk charge under the new Private Health Insurance Capital Framework and will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.
Richard White must step aside to protect WiseTech
At the very least, the WiseTech boss should take up his board’s suggestion to temporarily vacate his position.
Magnis risk reports ‘went unanswered’
Magnis’ former head of risk tried to blow the whistle on the firm’s relationship with its battery gigafactory iM3NY years before being seized by lenders amid near-insolvency.