Medibank Private Ltd (MPL.AX), Australia’s biggest health insurer, said on Wednesday a cyber hack had compromised data of all of its of its nearly 4 million customers, as it warned of a A$25 million to A$35 million ($16 million to $22.3 million) hit to first-half earnings.
It said on Wednesday that all personal and significant amounts of health claims data of all its customers were compromised in the breach reported this month, a day after it warned the number of customers affected would grow.
Shares in the company fell more than 14%, its biggest one-day slide since listing in 2014.
Medibank, which covers one-sixth of Australians, said the estimated cost did not include further potential remediation or regulatory expenses.
“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” chief executive David Koczkar said in a statement. “I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”
The company reiterated that its IT systems had not been encrypted by ransomware to date and that it would continue to monitor for any further suspicious activity.
“Everywhere we have identified a breach, it is now closed,” John Goodall, Medibank’s top technology executive, told an analyst call on Wednesday.
Medibank, which also withdrew its fiscal 2023 policyholder growth forecast, reported an after-tax profit of about A$394 million for fiscal 2022 in August.
The Medibank hack is the latest in a string of similar incidents in the country that has alarmed the government and corporate sector.
The country’s No. 2 telco, Singapore Telecommunciations Ltd-owned (STEL.SI) Optus, said last month about 10 million customer accounts, equivalent to 40% of the Australian population, had data taken by a hacker demanding payment.
A person claiming to be behind the Optus hack later withdrew the demand over concerns about publicity.
The government has meanwhile said it would introduce fines of up to A$50 million for companies on the receiving end of data breaches.
($1 = 1.5664 Australian dollars)