Medibank Private - will the patient recover or is this terminal?

The share market has wiped out $1.87bn of equity value from Medibank Private following the cyber attack with the share price down close to 20%.

As with any investment event, investors need to determine whether this event is temporary in its impact, or permanent.  If the event is temporary it may represent an opportunity, but if the event results in permanent change or damage then investors need to realign their thinking.

Hugh Dive, the Chief Investment Officer at Atlas Funds Management highlights that Medibank has taken a hit to this years profit of $25 - $35m in one off costs relating to customer service initiatives, reissuing customer ID’s and external experts.  Medibank has also deferred the statutory premium increase until January 2023 at a cost of $62m which is offset by lower than expected claims expense. These costs would appear temporary in nature.

Nathan Bell, Head of Research at The Intelligent Investor says that more permanent financial impacts are likely to come from ongoing higher IT expenses as it beefs up cybersecurity, and also potential fallout from a probable class action.

Bell says that the potential result from a class action is difficult to quantify.  The most the Australian Information Commissioner has awarded in damages for non-financial loss associated with a privacy breach was $20,000 per individual.  This incident was related to someone’s health information being published on a website, causing distress.  Medibank says that 480,000 customers had health claims data stolen containing some potentially embarrassing information.  A similar damages award to this group of 480,000 would be larger than Medibank’s market cap.

Precedent can be helpful when thinking about the potential effects of legal action, and Bell points to the data breach by Premera Blue Cross in 2015, which is a US health insurer with a similar number of policy holders affected.  The company settled the class action for US $32m (AUD $48m).  Premera Blue also had to commit US $42m (AUD $63m) to improve data security, which means that it might be wise for investors to leave room in their valuation for a much larger IT spend by Medibank than management has already set aside.

Dive confirmed that Medibank self-insure against cyber risk, but Medibank management advise that the type of insurance available wouldn’t have paid out for the hack.  While the class action lawyers are circling, the class action may struggle as the right to sue for the tort of breach of privacy or invasion of privacy is quite novel in Australia.  The class action would have to prove that Medibank’s cybersecurity was incompetent or negligent which could be challenging for the plaintiff.  Dive also questions whether the Government would be happy to allow Australia’s largest health insurance provider with 29% market share to be financially crippled.

Other than the risk of financial damage from a class action, the other key risk is that Medibank customers switch to other providers.  NIB mentioned at their AGM in November that they are starting to see some unhappy Medibank customers contact them, but the transition costs of private health insurance are high.

Dive said he would be surprised if HCF/BUPA/NIB used the cyber attack as a way to opportunistically gain market share by offering no waiting periods for hospital cover, which is usually 2 months before making a claim or 12 months for a pre-existing condition.

Contrasting these risks, Medibank is debt free with surplus capital and trades on a price earnings multiple of 16 times.  It offers investors a fully franked dividend of 5%pa.  Prior to the data breach Medibank reported 14% customer growth since June 2022. Consensus valuation for Medibank is around $3.20 per share (source Stockdoctor).

But Bell is cautious about referencing consensus valuations, as the final cost of the breach is unquantifiable and uncertainty could linger for years due to litigation, which could weigh on the share price.

The question for investors is whether the market has over-reacted to the cyber attack by slashing almost $2bn from the value of Medibank versus currently only a once off $35m hit to profits. 

Investing is a game of probabilities, and investors need to balance off Medibank’s attractive price on offer against the risks from customer loss and potential legal action.


Each month Mark Draper (GEM Capital) writes for the Australian Financial Review - this article featured in the 30th November 2022 edition