Medibank penalised over huge data hack
Australia’s financial watchdog has taken action against Medibank over the 2022 cyber attack that saw the private information of nearly 10 million customers stolen and published online.
Photo: AAP
Medibank will be forced to hold an extra $250 million in extra capital in order to cover its bases following the October 2022 cyber incident that affected customers of both the private health insurer and subsidiary Ahm.
Announced this morning, the Australian Prudential and Regulation Authority’s (APRA) penalty is an imposition of an increase in the company’s capital adequacy requirement, “reflecting weaknesses identified in Medibank’s information security environment”.
APRA Member Suzanne Smith said the cyber incident was one of the most significant data breaches ever experienced in Australia.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Smith said.
“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.
“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”
The capital adjustment requires Medibank to have an extra $250 million set aside at all times, and will remain in place until an agreed remediation program of work is completed by the private health insurer to APRA’s satisfaction.
The financial watchdog added that it would also conduct a targeted technology review of Medibank, with a focus on governance and risk culture.
“APRA notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” APRA said in a statement.
The watchdog’s action follows a class action law suit filed in the Supreme Court of Victoria in March this year relating to the 2022 data breach which saw Russian hackers steal sensitive health records of almost 10 million Australians and dump the data on the dark web.
Legal firm Quinn Emanuel is behind the class action on behalf of shareholders who acquired an interest in the company between 1 July 2019 and 19 October 2022.
Maurice Blackburn also launched a compensation claim against the health insurer over the hack.
