Financial watchdog APRA has fined Medibank Private $250 million following a hacking scandal that resulted in the online publication of millions of Australians’ private medical information.
In a statement announcing the decision on Tuesday, the regulator stated that it was motivated by “weaknesses identified in Medibank’s information security environment.”
In order to execute a more thorough remediation plan, the health insurer will be required to hold back an additional $250 million in capital funds.
This effectively prevents Medibank from using more than half of the capital it had before the penalty, barring it from using the money for spending or investing.
A “targeted technology review” of Medibank, focused on its governance and risk culture, was also announced by APRA.
In addition to serving as a warning that the regulator would react “strongly” to events affecting other corporations in the future, according to APRA Member Suzanne Smith, the sanction was intended to encourage Medibank to expedite its plans to manage the impact from the breach.
“APRA seeks to ensure that Medibank expedites its remediation program by taking this action,” she said.
“This action shows how seriously APRA regards entities’ obligations in relation to cyber risk, and it also shows how firmly APRA will react to detected shortcomings in cyber security systems.
As was already stated, APRA anticipates Medibank to make sure there is proper responsibility and consequence management, including implications to CEO remuneration when necessary.
Due to a breach that occurred in October of last year, 9.7 million Australians had their personal medical information compromised and, in some circumstances, disclosed online. Medibank is already the target of many class actions.
According to some estimates, the price tag for the breach clean-up, including litigation damages, might reach $150 million.
In response to the fine, Medibank CEO David Koczkar said the business was still “strong” and was working to improve client outcomes in the wake of the attack.
Medibank takes seriously its obligation to protect consumer data, he added.
To give our customers the security they need and expect, Medibank has continued to tighten our systems and procedures. We’ll keep working to improve our systems and procedures even more.
“Our business is still solid and well-capitalized.
“We continue to provide our customers with support through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection, and financial hardship measures.”
Medibank said in a statement that it had “significant existing capital” to make up for the fine.
It stated that the amount of unallocated capital will stay at June 30 2022 levels of $148 million, indicating that it would not at this time lower its target capital requirement for health insurance.
The health insurance believes the fine is unlikely to have an impact on its regular business operations, but new industry regulations that will go into effect on July 1 will make it even more capital-intensive.
In addition, Medibank said it would continue to give APRA its “full support” as it collaborates closely with the regulator to finalize and implement its remediation program.
As Ms. Smith urged other businesses to keep a careful eye on their operations to prevent a similar catastrophe, APRA also mentioned that the company has constantly collaborated with the regulator in a “open, constructive and cooperative way”.
“APRA has repeatedly emphasized the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures since launching the 2020–2024 Cyber Security Strategy,” she said.
As we continue to find weak monitoring from boards and management and poor cyber security policies, it is unfortunate that not all institutions are listening to these concerns.
