APRA intensifies surveillance on Medibank Private after hack scandal

Australia’s prudential regulator says it will clamp down on Medibank Private following its major hack in October.

In a statement on Monday, the Australian Prudential Regulation Authority outlined it would intensify supervision on the major health insurer in a bid to ensure operations by the company fall into the current regulatory framework.

An increase in scrutiny on Medibank comes after APRA on November 16 announced an external review on the insurer to be conducted by Deloitte.

Medibank in October suffered a major security breach when the data of nearly 10 million customers was stolen by online hackers and since then, has been released on online via the dark web.

The review will examine the incident itself, the effectiveness of the control of the hack and Medibank’s own response.

APRA claimed the breach puts into question the effectiveness of the company’s operational risk controls.

APRA member Suzanne Smith said Medibank has been compliant, however did not rule out further action by the regulator given how much damage had been inflicted upon customers and their sensitive information.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” she said.

Ms Smith also noted the hack had prompted APRA to intensity surveillance on all entities it regulates and whether companies are meeting information security prudential standards.

“Cybersecurity is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” she said.

The Federal Government is also trying to bolster data laws following the hacks at both Medibank and Optus this year.

Changes to the privacy Bill which would allow for higher penalties upon companies failing to comply and greater powers for the Office of the Australian Information Commissioner passed the Senate.

However, small amendments were made and have prompted the Bill to go back to the House before the new laws are given royal assent.

Medibank throughout the saga has claimed it is contacting customers who have had their health and personal information stolen.

Hackers began releasing the information online after Medibank refused to pay ransom money to re-obtain the data.

The company’s decision followed advice set by Australian government intelligence bodies.