Medibank has provided an update on the recent cyberattack that saw the hack of customer data for all of its 3.9 million members and estimated the impact on its earnings for the first half of 2023 will be in the range of $25 million to $35 million.
The company said that the criminal hack accessed all Medibank and ahm customer data and significant amounts of claims data, as well as all international student customers’ personal data and significant amounts of claims data.
"As previously advised, we have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially," said the company.
It also announced a support package for affected customers that includes financial support, access to mental health and well-being support, access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary identification compromised, and the reimbursement of fees for the re-issue of identity documents that have been fully compromised in this crime.
The company said its systems have not been encrypted by ransomware and that normal business operations have been maintained with customers continuing to access health services.
"Concurrent to the investigation, Medibank has prioritised preventing further unauthorised entry to our IT network and is continuing to monitor for any further suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties," it said.
Medibank said it is withdrawing its financial year 2023 outlook for policyholder growth and that it will provide a further update when it announces its results for the six months to the end of December.
"Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation-related costs," it said.
"This cybercrime event continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation-related costs."
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data," said CEO David Koczkar.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.
“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”