Case study: APRA regulatory action against Medibank

Row of padlocks with one open padlock among them, representing a gap in cyber security.

On 27 June 2023, the Australian Prudential and Regulation Authority (APRA) announced it would impose on Medibank Private (Medibank) a capital adequacy requirement of $250 million.

This follows APRA's review of the cyber security incident that Medibank faced in October 2022, with the increased capital adequacy requirement reflecting weaknesses identified in Medibank's information security environment by APRA.


In October 2022, 9.7 million past and present Medibank customer records were stolen from Medibank systems and subsequently leaked on the dark web by cybercriminals after Medibank refused to pay the criminals' ransom demands. The records contained sensitive customer information, including customers' medical conditions and treatment.

Capital adjustment

The increased capital adequacy requirement became effective from 1 July 2023 and will remain in place until APRA is satisfied with an agreed remediation program of work completed by Medibank. The capital adjustment is applied to Medibank's operational risk charge under the Private Health Insurance (PHI) Capital Framework.

Key takeaways

The action taken by APRA against Medibank is a reminder to all APRA regulated companies of the strict stance the authority has towards cyber security data breaches.

Where companies have inadequate controls and risk management systems, specifically regarding preventing unauthorised access to private consumer data, it is crucial that businesses take action to strengthen their security environment and data management prior to any potential cyber exposures. APRA Member Suzanne Smith stated: “This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls1."

Return to Privacy: Mid-year review 2023

1 Australian Prudential and Regulation Authority, Media Release: APRA takes action against Medibank Private in relation to cyber incident, 27 June 2023.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.