Medibank has copped a grilling from shareholders at its annual general meeting as fallout continues from a massive data breach.
Executives on Wednesday stood by their call not to pay a ransom to Russian hackers who stole millions of customers' personal data. But shareholders asked chairman Mike Wilkins why the health insurer hadn't taken cyber security "as seriously as you should have".
The meeting comes a month after hackers stole personal information of the insurer's 9.7 million current and former customers.
The company confirmed to investors the up-front cost for the first half of the financial year would be $25m to $35m before factoring in legal and other expenses.
One "rather disappointed" shareholder asked if IT security would form part of the company's recently-announced external review, also wondering if the executive responsible would have their pay cut.
Mr Wilkins said executive remuneration would be taken care of at the end of the next financial year, but said pay would be linked to performance.
"The board is very well aware of the alignment between remuneration and outcomes," he said.
A representative of the Australian Shareholders Association asked when specific accountability would be taken for the breach, but Mr Wilkins said that would come after the review was complete.
The company has starting contacting about 480,000 customers it believes had their health data stolen.
"Safeguarding our customers' data is a responsibility we take very seriously and we will continue to support all people who have been impacted by this crime," Mr Wilkins said in his opening address.
"There is no doubt that this crime is having an enormous impact on our customers and our community. This is a shocking crime, the size and scale of which we have never seen before."
But Mr Wilkins said paying a $US9.7m ransom was never an option and would have supercharged the hacking industry.
"There was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," he said.
"The advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers."
The hackers had indicated they'd watch the meeting before firing off another tranche of stolen data.
"We'll announce that next portion of data we'll publish at (sic) Friday, bypassing this week completely in a hope something meaningful happened on Wednesday," the hackers wrote in an update.
Medibank CEO David Koczkar said the company had started the "incredibly complex" process of contacting half a million customers whose sensitive data had been taken.
"This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources," he said.
A 100 officer-strong cybercrime operation targeting the hackers will be led by the Australian Federal Police and Australian Signals Directorate.
Data including names, phone numbers, Medicare numbers and sensitive health information was taken by the hackers during the breach.