Share this article on:
The health insurer releases half-year financial results as its 2022 data breach continues to loom large.
Medibank has released its half-yearly financial report, and while the numbers are largely looking good for the company, the fallout from its headline-making 2022 data breach continues.
Profits are up 16 per cent for the first half of 2024 on the back of an increase in policy sales, while net profit jumped to $343.2 million – an impressive 103 per cent increase on last year.
Medibank boss David Koczkar talked up the results in a wide-ranging statement but only made passing reference to the company’s ongoing efforts to increase security.
“We remain a strong and resilient business, with a long track record of navigating competitive and economic challenges,” Koczkar said.
“By making disciplined choices in how and where we grow, we remain focused on achieving sustainable growth for the long term. This includes continuing to strengthen our business through our IT security uplift program.”
That uplift program – which is listed under “cyber crime costs” – is expected to cost between $30 million and $35 million this financial year. This figure also includes “legal and other costs related to regulatory investigations and litigation”.
Costs related to the breach totalled $46.4 million in Medibank’s 2023 annual report, and these new figures are in addition to that sum.
That said, Medibank is expecting more costs related to the incident. The above costs exclude “the impacts of any potential findings or outcomes from regulatory investigations or litigation”.
Those “potential findings or outcomes” could be quite extensive.
Listed under contingencies in the company’s full financial report is a section titled Cybercrime event.
“The group was subject to a cyber crime in the prior financial year, which resulted in a data breach,” Medibank said. “Specific contingent liabilities in relation to the cyber crime that may impact the group as known at this reporting period are set out below.”
First up is the ongoing investigation by the Office of the Australian Information Commissioner (OAIC), which began on 1 December 2022. This is to determine “whether Medibank took reasonable steps to protect personal information from unauthorised access and misuse, and to destroy or de-identify personal information that it is no longer required to retain.”
Medibank is cooperating with the investigation and is aware that it may result in further “fines, penalties, enforceable undertakings or other regulatory enforcement action”.
The OAIC is also fielding a “representative complaint” lodged by Maurice Blackburn, Bannister Law, and Centennial Lawyers over the data breach. The complaint alleges that Medibank was in breach of privacy regulations. The lawyers seek compensation for losses and damages incurred in relation to the incident.
Medibank is also facing a class action lawsuit from law firm Baker McKenzie on behalf of customers who are claiming the company breached its contract as well as Australian Consumer Law. There’s also another class action, this time on behalf of Medibank’s shareholders.
Medibanks is defending itself against all proceedings but admits that the “outcome and any potential financial impacts of the matters below are currently unknown”.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.