Medibank hack: Customers vent fury as health insurance company suffers $1.7-billion hit

Medibank Private chief executive David Koczkar has defended the company’s handling of a damaging cyberattack amid growing fury from customers and investors over the spiralling data breach that has now affected more than 4 million Australians.

Shares in the nation’s largest private health insurer tumbled 18 per cent on Wednesday, the first day of trading in almost a week, erasing about $1.7 billion from its market value. The decline came after the company confirmed that hackers accessed personal information on all 4 million of its customers and an unknown number of former members, in another escalation of the incident.

Alexandra is one of many Medibank customers who has been left furious with the company’s communications.Credit:Justin McManus

Only two weeks earlier, Koczkar had told customers there was no evidence that their data had been accessed. “We’ve shared what we could when we can share it, and that does involve incomplete information. Things are moving very fast,” he said in an interview. “As soon as things become clear to me, we will share it.”

Dozens of Medibank customers have contacted this masthead to express their fury with the way Medibank has handled the incident, including Melbourne woman Alexandra, who said she was left appalled by the company’s communications.

In light of the crippling attack, management has withdrawn forecasts for policyholder growth and said it would update the market later in the year. The company estimates that it will have to spend $25 million to $35 million to improve its cybersecurity, contact customers and investigate the breach in the first half of the 2023 financial year. But the company confirmed that it lacks cyber insurance and flagged that it could not quantify the overall cost of the incident. Potential risks include regulatory action, customer remediation and lawsuits.

The stolen data is from current and former customers and includes names, addresses, birthdates, Medicare numbers, contact information and claims data from the private health insurer. The list of Medibank customers affected potentially includes high-profile Australians.

The hackers have also claimed to possess credit card information, although Medibank said there was no evidence – at this stage – that this is the case, but emphasised that its investigations are continuing.

Medibank announced a support package for affected customers, which includes hardship provisions to provide financial assistance to customers who are in a uniquely vulnerable position as a result of this crime. It is also allowing access to Medibank’s mental health and wellbeing support line for all customers, including customers of its budget ahm service.

The group is also giving affected customers access to specialist identity protection advice and resources from IDCARE, free identity monitoring services for customers who have had their primary ID compromised and reimbursements for the “re-issue of identity documents that have been fully compromised in this crime”.