Medibank slugged with $250m penalty for ‘cyber weaknesses’

Australia’s largest health insurer will undergo an internal risk and governance review after it suffered the largest data breach in the country’s history.

David Swan

3 min read

9:56AMJune 27, 2023

The Australian Business Network

The insurer is already facing consumer class action lawsuits over the October 2022 data breach in which nearly 10 million customers had personal information including names, dates of birth, addresses and phone numbers compromised. Picture: NCA NewsWire / Christian Gilles

Australia’s largest health insurer Medibank has been ordered to hold an additional $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, as fallout from the nation’s largest data breach widens.

The financial industry’s prudential regulator on Tuesday announced it would impose an increase in Medibank’s capital adequacy requirement of $250m, reflecting “weaknesses” identified in the health insurer’s information security environment.

The capital adjustment, effective from July 1, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework and will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.

APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

“While Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” APRA said in a statement on Tuesday.

It is believed ASIC’s action will increase Medibank’s regulatory requirement by 19 per cent on the $1.32bn at end of FY22. APRA’s new private health insurance capital framework also comes into force from July 1, increasing Medibank’s capital needs further.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” Medibank CEO David Koczkar said on Tuesday.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.

“Our company remains strong and well capitalised.

Medibank CEO David Koczkar, Docklands, Melbourne. Picture: NCA NewsWire / Nicki Connolly

“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”

APRA member Suzanne Smith said the October 2022 cyber incident was one of the largest in Australian history.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”

Ms Smith said that since launching its 2020-2024 Cyber Security Strategy, the regulator had repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.

“Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”

In October last year Russian hackers accessed the health records and other personal information from almost 10 million current and former Medibank customers. After the company refused to pay a $15m ransom, it published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.

Late last year APRA said it would “intensify its supervision of all entities not meeting the information security prudential standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.”

Introduced in 2019, CPS 234 was designed as a measure to boost cyber resilience and require banks, insurance firms and superannuation funds to maintain cyber capabilities, conduct regular testing and notify the regulator if incidents occur.

Medibank told investors in April that it had been provided with Deloitte’s findings from a review into the cybercrime incident, but said it would not be detailing the filings or releasing the report.

“Deloitte has made recommendations to enhance Medibank’s IT processes and systems,” a spokeswoman said at the time.

“We don’t think it is in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses.”

Analysts have estimated the clean-up bill – which includes customer lawsuits – could cost Medibank as much as $150m.