APRA intensifies scrutiny of Medibank after major cyberattack

The breach is part of a growing trend of cyberattacks hitting Australian companies, including Australian Clinical Labs (ASX: ACL) owned Medlab Pathology, which saw the health records and credit card information of 223,000 patients and staff leaked one month ago.

APRA said it has “informed the scope” of an external review being conducted by Deloitte, which is also looking into a data breach impacting 10 million current and former Optus customers.  

Announced by Medibank on 16 November, the review will examine the incident, control effectiveness and the response of the health insurer, which refused to pay a $15 million ransom to the criminals behind the data breach.

“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” APRA member Suzanne Smith said.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.

An investigative report by the ABC also revealed today that at least 12 million Australians have had their data exposed by hackers in recent months, including logins for personal Australian Tax Office (ATO) accounts and the medical and personal data of thousands of NDIS recipients. The broadcaster said that many of those impacted learnt they were victims of data theft only after being contacted by the ABC.

According to the Australian Cyber Security Centre’s Annual Cyber Threat Report, the agency received more than 67,500 cybercrime reports during the 2020-21 financial year, reflecting a year-on-year increase of 13 per cent. The increase in volume of cybercrime reporting equates to one report of a cyber-attack every eight minutes.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience,” Smith said.

“They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?

“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”

APRA’s crackdown comes almost three weeks after Bannister Law Class Actions and Centennial Lawyers announced they will collectively explore a class action lawsuit into the Medibank data breach, which is now also being investigated by national law firm Maurice Blackburn.

The cyberattack, which is believed by the AFP to have been conducted in Russia, has affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff. 

International students also had their passport numbers accessed, some of which were published on dark web forums. The leak also included customer names, addresses, dates of birth, phone numbers, email addresses, and the Medicare numbers of ahm customers (without the expiry dates).

APRA said Medibank has been open and cooperative with the prudential regulator since the breach occurred last month.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers,” Medibank CEO David Koczkar said to shareholders today.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.”

Shares in MPL are up 1.40 per cent at $2.90 each at 11:19am AEST.