Share this article on:
Medibank’s bill for the data breach it suffered last year continues to grow, with the health insurer expecting to fork out $35 million in 2024.
According to its financial results shared with the ASX, Medibank forked out a whopping $46.4 million in the 2022–23 financial year, and that number is expected to increase to $80 million.
“We have incurred $46.4 million of non-recurring costs associated with the cyber crime, largely related to our incident response and the customer support package,” the company said.
“We expect $30 million to $35 million in 2024 for further IT security uplift, legal costs, and other costs related to regulatory investigations and litigation. This does not include the impacts of any potential findings or outcomes from regulatory investigations or litigation.”
Despite the rising price tag for the cyber attack it suffered last year, Medibank has said that its financial outlook is good and that growth in health insurance resulted in increased profits.
“The 2023 financial results reflect the resilience of our health insurance business, strong underlying profit growth in Medibank Health, and continued strong capital generation.
“Group operating profit increased 9.0 per cent to $647.5 million driven by strong growth in health insurance operating profit of 9.8 per cent, partly offset by a decline in Medibank Health segment profit of 2.9 per cent,” it said.
“In addition to the increase in group operating profit, there was also a significant increase in net investment income of $163.4 million which resulted in a 29.8 per cent increase in NPAT to $511.1 million. Underlying NPAT, which adjusts for the normalisation of investment returns, increased 14.8 per cent to $499.6 million.”
The Medibank cyber breach occurred back in October last year, when cyber criminals gained access to the health insurer’s systems and stole the data of 9.7 million current and former customers of Medibank, its budget brand ahm, and its My Home Hospital service.
The Russian-backed Revil ransomware group claimed responsibility for the attack, saying it had stolen 200GB worth of data.
Alongside the operational costs of the cyber attack, Medibank has been slammed by class action lawsuits which could cost it even more.
Consumer class actions have been launched by Baker & McKenzie, with a second launched by Slater & Gordon. The two were consolidated in the Federal Court in August.
Both Quinn Emanuel and Phi Finney McDonald launched separate shareholder class actions, which may be consolidated into one.
“Quinn Emanuel and Phi Finney McDonald have made an application to the Supreme Court of Victoria to consolidate the two shareholder class actions into one consolidated shareholder class action,” said Medibank.
“The outcome of this application is currently unknown. Medibank is defending the shareholder class action proceedings.”
In addition, the Australian Prudential Regulation Authority launched a targeted technology review in June, which imposed an additional $250 million capital requirement of the health insurer.
Medibank has also “issued $18.3 million of bank guarantees to third parties for various operational and legal purposes, including $10 million in relation to its self-insured workers compensation obligations” and other guarantees.