Medibank cybercrime, business and FY23 outlook update
Cybercrime event update
Yesterday, Medibank provided a further update regarding the cybercrime event and announced a comprehensive customer support package for Medibank, ahm and international student customers affected by this cybercrime.
The investigation into the cybercrime event is continuing, with particular focus on identifying which systems and networks were accessed and what data was removed by the criminal.
Since yesterday’s announcement, our investigation has now established that the criminal had access to:
- All ahm customers’ personal data and significant amounts of health claims data
- All international student customers’ personal data and significant amounts of health claims data
- All Medibank customers’ personal data and significant amounts of health claims data
As previously advised, we have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially.
Our priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know.
Medibank has announced a support package for affected customers which includes:
- A hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, who will be supported on an individual basis
- Access to Medibank’s mental health and wellbeing support line for all customers, including ahm customers
- Access to specialist identity protection advice and resources from IDCARE
- Free identity monitoring services for customers who have had their primary ID compromised
- Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
Business operations continue
To date, Medibank’s IT systems have not been encrypted by ransomware. Normal business operations have been maintained with customers continuing to access health services.
Concurrent to the investigation, Medibank has prioritised preventing further unauthorised entry to our IT network and is continuing to monitor for any further suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties.
This cybercrime event is subject to a criminal investigation by the Australian Federal Police (AFP).
Medibank continues to work with the AFP, specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.
First quarter performance and update to FY23 outlook
Medibank provided a FY23 outlook (FY23 outlook) to the market in the FY22 financial results. As a result of this cybercrime event, we are updating the FY23 outlook as follows.
Resident policyholder growth
Net resident policyholder growth for the three-month period to 30 September 2022 was 14,600. On a rolling 12-month basis, this policyholder growth of 3.2% is above the FY23 outlook of c. 2.7% which assumed a modest decline in industry participation growth in FY23 relative to FY22.
Given the uncertain impact of this cybercrime event, Medibank is withdrawing its FY23 outlook for policyholder growth and will provide a further update at the 1H23 results.
Underlying net claims expense per resident policy unit continues to track below the FY23 outlook of 2.3%.
This has resulted in further permanent net claims savings due to COVID-19 of approximately $62 million and these savings will offset the cost of the deferral of premium increases for Medibank and ahm customers to 16 January 2023.
PHI management expenses
Management expense productivity initiatives continue in line with the FY23 outlook and our expectation for inflation remains unchanged.
As at 30 September 2022, our health insurance capital ratio* was 13.4%, and unallocated capital was approximately $150 million. APRA released the final private health insurance capital standards that will take effect from 1 July 2023 and we continue to expect the implementation of these standards will not negatively impact our capital position.
Financial impacts of the cybercrime event
Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs.
This cybercrime event continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation related costs.
We will provide further updates as appropriate, including at our forthcoming Annual General Meeting on 16 November 2022.
Medibank CEO David Koczkar said
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data.
“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal.
“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”
This announcement has been authorised for release by the Board.
Investor briefing today
Investor briefing details are below. Media are welcome to join the investor briefing in a listen-only mode.
Time: 10am AEDT
To join this call and/or ask a question, pre-register at__ https://s1.c-conf.com/diamondpass/10026470-8dvwxf.html__
To view the webcast only, visit https://ccmediaframe.com/?id=qV4uInPe
Calculated as required Health Insurance related capital divided by the last 12 months’ Health Insurance premium revenue inflated by the growth rate in Health Insurance premium revenue over the same 12-month period
Senior Executive, External Affairs
+61 429 642 418
Senior Executive, Investor Relations
+61 475 975 770
For a complete list of all ASX announcements, please visit our Investor Centre.