APRA intensifies scrutiny of Medibank after major cyberattack

APRA intensifies scrutiny of Medibank after major cyberattack

Photo courtesy of Medibank

The Australian Prudential Regulation Authority (APRA) has intensified its supervision of private health insurer Medibank (ASX: MPL) following a cyberattack which stole the personal details of 9.7 million customers in Australia.

The breach is part of a growing trend of cyberattacks hitting Australian companies, including Australian Clinical Labs (ASX: ACL) owned Medlab Pathology, which saw the health records and credit card information of 223,000 patients and staff leaked one month ago.

APRA said it has “informed the scope” of an external review being conducted by Deloitte, which is also looking into a data breach impacting 10 million current and former Optus customers.  

Announced by Medibank on 16 November, the review will examine the incident, control effectiveness and the response of the health insurer, which refused to pay a $15 million ransom to the criminals behind the data breach.

“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” APRA member Suzanne Smith said.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.

An investigative report by the ABC also revealed today that at least 12 million Australians have had their data exposed by hackers in recent months, including logins for personal Australian Tax Office (ATO) accounts and the medical and personal data of thousands of NDIS recipients. The broadcaster said that many of those impacted learnt they were victims of data theft only after being contacted by the ABC.

According to the Australian Cyber Security Centre’s Annual Cyber Threat Report, the agency received more than 67,500 cybercrime reports during the 2020-21 financial year, reflecting a year-on-year increase of 13 per cent. The increase in volume of cybercrime reporting equates to one report of a cyber-attack every eight minutes.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience,” Smith said.

“They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?

“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”

APRA’s crackdown comes almost three weeks after Bannister Law Class Actions and Centennial Lawyers announced they will collectively explore a class action lawsuit into the Medibank data breach, which is now also being investigated by national law firm Maurice Blackburn.

The cyberattack, which is believed by the AFP to have been conducted in Russia, has affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff

International students also had their passport numbers accessed, some of which were published on dark web forums. The leak also included customer names, addresses, dates of birth, phone numbers, email addresses, and the Medicare numbers of ahm customers (without the expiry dates).

APRA said Medibank has been open and cooperative with the prudential regulator since the breach occurred last month.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers,” Medibank CEO David Koczkar said to shareholders today.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.”

Shares in MPL are up 1.40 per cent at $2.90 each at 11:19am AEST.

Enjoyed this article?

Don't miss out on the knowledge and insights to be gained from our daily news and features.

Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.

Support independent journalism and stay informed with stories that matter to you.

Subscribe now and get 50% off your first year!

Four time-saving tips for automating your investment portfolio
Partner Content
In today's fast-paced investment landscape, time is a valuable commodity. Fortunately, w...
Etoro
Advertisement

Related Stories

REA Group buys full stake in end-to-end property sales interface Realtair

REA Group buys full stake in end-to-end property sales interface Realtair

Realestate.com.au operator REA Group (ASX: REA) has acquired the re...

HESTA to pump $250m into new global fund with Stafford Capital Partners

HESTA to pump $250m into new global fund with Stafford Capital Partners

Strong returns over the past three years from a $200 million global...

Breakthrough Victoria up to the test with $15m investment in Liquid Instruments

Breakthrough Victoria up to the test with $15m investment in Liquid Instruments

A Canberra-born, San Diego-headquartered technology company that re...

Pacific Smiles to extend nib dental offering to all centres

Pacific Smiles to extend nib dental offering to all centres

Takeover target Pacific Smiles (ASX: PSQ) may see its clinics filli...