Medibank is continuing to pay for the massive data breach in 2022, with the private health insurer expecting to incur costs of more than $125 million by the end of the next financial year, excluding a range of civil penalties it is also facing.
In its financial results for the 2024 full financial year, Medibank revealed it had spent $39.8 million on cybercrime-related initiatives and legal fees, after spending $46.4 million in the previous year.
The financial results also revealed that the organisation is expecting to incur similar costs in the 2024-25 financial year, which would bring total costs relating to the breach to at least $125 million by midway through next year.
These cybercrime costs include “further IT security uplift and legal and other costs related to regular investigations and litigation”.
Of the $39.8 million spent in the last year, $17.4 million went to office and administrative expenses, $13.4 million for employee benefits, and $9 million for IT expenses.
In October 2022 Medibank fell victim to a major cyber data breach, with the highly sensitive personal information of 9.7 million individuals compromised and eventually posted on the dark web after a ransom payment was denied.
Legal worries
The $125 million-plus that this incident is expected to cost Medibank is on top of any legal orders and fees imposed on the organisation.
Medibank is facing civil proceedings in Federal Court, a customer class action in Federal Court, and a shareholder class action in Victoria, all of which could result in the imposition of further fines.
Earlier this year the Office of the Australian Information Commissioner (OAIC) filed civil proceedings against Medibank in the Federal Court, alleging it had “seriously interfered” with the privacy of millions of Australians.
The privacy watchdog is alleging Medibank “interfered with the privacy of approximately 9.7 million individuals whose personal information it held” by failing to take reasonable steps to protect it, in breach of Australian privacy law.
The OAIC also alleged that Medibank was “aware of serious deficiencies in its cyber security and information security framework” for at least 18 months before the hack.
These alleged “deficiencies” include the lack of multi-factor authentication.
According to court documents filed by the OAIC, this lack of multi-factor authentication allowed the cyber criminals to gain access to the credentials of an employee of a Medibank contractor, leading to the wider breach.
Medibank is facing a penalty of $2.2 million for each proven contravention of Australian privacy laws.
Medibank is also facing a customer class action lawsuit in the Federal Court, brought by Baker & McKenzie.
The parties are seeking damages, declarations of contraventions of privacy law, and injunctive relief.
A separate class action brought by Medibank shareholders is also looming in Victoria, with allegations of misleading or deceptive conduct by Medibank.
“Ongoing legal and regulatory matters, as a result of the 2022 cybercrime event, may result in costs associated with litigation, fines and penalties, compensation, and / or other regulatory enforceable actions,” Medibank’s financial results said.
“Such costs are uncertain and dependent on the outcome of legal and regulatory processes which remain ongoing.”
Medibank has also been required to set aside $250 million by the Australian Prudential and Regulation Authority (APRA) as insurance against issues relating to the data breach.
APRA said this amount reflected “weaknesses” in Medibank’s information security environment
At the start of this year, the federal government imposed unprecedented cyber sanctions on a Russian man accused as being involved with the Medibank data breach.
In February, Aleksandr Ermakov was reportedly arrested by Russian authorities.
Medibank’s financial results revealed a group operating profit of $699.8 million in the financial year, up from 7.9 per cent the previous year, with an underlying net profit after tax of $570.4 million.