Executives at embattled insurance giant Medibank have lost their bonuses as the company is plagued by tens of millions in costs amid the fallout from a massive hack of customer data.

The insurer is facing four class actions, an official complaint with the privacy watchdog, and a government probe led by the information commissioner over the 2022 scandal, which saw the personal information of almost 10 million current and former customers stolen by criminals.

That includes two cases on behalf of consumers and two on behalf of scorned shareholders, which could end up being extremely expensive for the company if the damage claims stand up in federal court hearings.

About $46 million has already been spent in 2022-23 on responding to the hack, including on a small package of customer support, while Medibank said it expects an additional $30 million to $35 million will be needed for legal costs and an “IT security uplift” in 2024.

“This does not include the impacts of any potential findings or outcomes from regulatory investigations or litigation,” the company revealed on Wednesday.

The disclosures show Medibank is still dealing with the fallout from the 2022 scandal in which criminals made off with extensive private medical records and other personal information.

The hack was one of the largest in Australian history, rivalled only by the huge leak of Optus’ customer data months earlier, though in the case of Medibank the hackers appeared organised.

After Medibank defied ransom requests for return of the data it began to be leaked on the dark web, including sensitive health insurance information about people treated for drug addiction.

But if Wednesday’s investor reports are any guide, Medibank is poised to weather the financial storm, with annual after-tax profits skyrocketing by 29 per cent to $511 million over 2022-23.

Mohiuddin Ahmed, a cyber security expert and senior lecturer at Edith Cowan University, said Medibank has been able to recover some of its damaged reputation because rising population growth since COVID-19 has increased its customer pool.

But that doesn’t mean the company should skimp out on cyber security.

“It is in the best interest of Medibank to invest in security uplift and should have transparency in that process,” he said.

“In light of recent attacks on critical infrastructures, Medibank might seriously consider cyber wargaming as an option to strengthen their security regardless of the cost.”

Medibank boss David Koczkar attempted to draw a line under the sordid period of the company’s history on Wednesday, saying it has been “working hard” to regain trust.

“In what was a very challenging year for our customers and our people, policyholder growth is back on track following the cyber crime event,” he told investors on Wednesday.

The company now has more than four million customers for the first time in its 47-year history, Mr Koczkar explained.

“While consumers are paring back their spending in many areas, health is not one,” he said.

“Net resident policyholders grew by almost 11,000, a 0.6 per cent increase.

“Growth came from families, younger people and those taking out cover for the first time.”

Ordinarily, however, such a bumper result would have delivered sizeable bonuses into the pockets of executives like Mr Koczkar, but there has been no payouts because of the hack.

“With consideration of the expectations of our customers, shareholders and the community following the cyber crime event, the board exercised discretion and reduced the 2023 STI [short-term incentive] outcomes for executive[s] … to zero,” the company revealed on Wednesday.