Medibank hit with $250M penalty for cyber breach

APRA claims fine reflects “weaknesses identified in Medibank’s information security environment”.

Comments

Insurer Medibank has been thwacked with a $250 million capital charge following last year’s massive data breach.

The Australian Prudential and Regulation Authority (APRA) ordered Medibank to have a capital adequacy requirement of $250 million as a result of the “weaknesses” identified in its information security environment.

APRA conducted a review of Medibank’s major cyber incident in October 2022, which ended up affecting 9.7 million current and former customers.

The capital adjustment, effective from 1 July 2023, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. Medibank told shareholders that it holds the funds to meet the charge.

“It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction,” the regulator claimed.

APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

In its announcement, the regular noted the breach was the most significant cyber incident in Australia’s history.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities,” said APRA member Suzanne Smith.

Smith also claimed that APRA had identified poor cyber security practices and inadequate oversight from other organisations’ boards and management.

As a result of the breach, Medibank faces a class action by the law firm Slater and Gordon.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” Medibank CEO David Koczkar told shareholders following APRA's announcement.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further."