Medibank’s 2022 data breach cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million.
The company disclosed the rising costs in its 2022-2023 annual report released today [pdf].
The costs already incurred covered Medibank’s incident response and its customer support package.
“We expect $30 million to $35 million in 2024 for further IT security uplift, legal costs and other costs related to regulatory investigations and litigation,” Medibank said.
“This does not include the impacts of any potential findings or outcomes from regulatory investigations or litigation”.
The data breach, which emerged in October 2022, occurred when attackers obtained the credentials of a third-party contractor. That resulted in the leak of information on 9.7 customers.
In June, the Australian Prudential Regulatory Authority launched a “targeted technology review” and imposed an extra $250 million capital requirement on Medibank in the wake of the data breach.
As part of its response, the annual report stated, Medibank established a cyber response board committee comprising board chairman Mike Wilkins, CEO David Koczkar, and risk management committee chair David Fagan.
The annual report also reveals that the CEO and key management personnel had their short term incentive payments reduced by $2.6 million to zero over the incident.
Medibank also revealed that as well as the regulatory investigation underway by the Office of the Australian Information Commissioner, it faces as many as three class action lawsuits over the data breach.
Two class actions on behalf of customers led by Baker and McKenzie and Slater and Gordon have been combined into a single lawsuit.
Meanwhile, shareholder lawsuits have been launched by Quinn Emanuel and Phi Finney McDonald. An application has been made in the Federal Court to combine these into a single action.