Australia markets close in 9 minutes

    -27.80 (-0.37%)
  • ASX 200

    -28.80 (-0.40%)

    -0.0062 (-0.92%)
  • OIL

    -2.13 (-2.79%)
  • GOLD

    -3.00 (-0.17%)

    -682.68 (-2.74%)
  • CMC Crypto 200

    -2.38 (-0.62%)

    -0.0035 (-0.54%)

    -0.0028 (-0.26%)
  • NZX 50

    -74.25 (-0.65%)

    -82.67 (-0.70%)
  • FTSE

    +20.07 (+0.27%)
  • Dow Jones

    +152.93 (+0.45%)
  • DAX

    +1.78 (+0.01%)
  • Hang Seng

    -348.17 (-1.98%)
  • NIKKEI 225

    -148.75 (-0.53%)

Cyber attack costs pile up for Medibank

Health insurer Medibank has faced criticism from shareholders angry over the massive data breach that will cost the company up to $35 million in the first half of the financial year.

Chairman Mike Wilkins defended his company's handling of the cyber attack and its lacklustre communication with shareholders and customers, saying the company will continue to be measured on how it responds.

"We have always taken and we continue to take our IT security very, very seriously," he said in response to a shareholder's question at the company's annual general meeting on Wednesday.

"We believe that our processes were robust, although clearly not robust enough in this circumstance. And we will seek to learn from that once we have completed this review."

Deloitte is conducting an external review into Medibank's systems.

Australia's biggest private health insurer is in the middle of a massive data breach, with hackers stealing personal information from all of the health insurer's 9.7 million former and current customers.

The hackers, who police said were from Russia, have been releasing the stolen information in daily batches with Medibank refusing to pay ransom of $9.7 million.

"We are steadfast in our resolve to not reward this criminal behaviour, nor to strengthen a business model that is based on extortion. This is a watershed moment for our community - a harsh reminder of the new frontier in cybercrime that we all face," Chief Executive David Koczkar told shareholders in Melbourne.

While shareholders backed that decision, many were critical of the company's inadequate communication, with one shareholder customer saying Medibank's customer support centre was unable to provide specific information even though his data was confirmed to have been leaked on the dark web.

Others questioned the extent of customer data required and the length of time it was stored by the company.

The cyber attack has overshadowed the health insurer's robust operating performance.

Net resident policyholder numbers were up 14,500 as at November 12 and its non-resident business has seen customer growth of 14 per cent in the September quarter.

The company expects underlying net claims expense per resident policy unit to be steady at 2.3 per cent for the full year and Mr Koczkar said the business remains strongly capitalised.

It had lifted dividend in the 2021-22 financial year despite a dip in full year profit to $393.9 million.

Medibank had also forecast policyholder growth of 2.7 per cent for the current fiscal at the time of its results in August, but has since withdrawn the guidance due to the uncertain impact of the hacking attack.

The company will provide an update at its half-year results in February but is already facing a growing bill.

"Based on our current actions in response to the cybercrime event, we currently estimate $25 million to $35 million of pre-tax non-recurring costs will impact earnings in the first half of 2023," , Mr Koczkar told shareholders.

"These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs."

Law firm Maurice Blackburn is reviewing whether Medibank customers affected by the data breach could be entitled to compensation.

Still, shareholders showed overwhelming support for the items on the meeting's agenda. Its remuneration report secured 94 per cent of the votes cast, while a motion to grant performance rights to the CEO was backed by nearly 98 per cent of the votes.

By 1400 AEDT, Medibank shares were down 0.5 per cent to $2.80 and have now lost about 18 per cent of their value since the cyberattack was made public in late-October.