OAIC pursues court action against cyber-hacked Medibank

data breach

The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court against Australia’s biggest health insurer Medibank Private Limited after an investigation into a 2022 breach of its systems.

Australian Information Commissioner Angelene Falk commenced an investigation into Medibank’s privacy standards and protocols after it and its subsidiary, ahm, were the subject of a cyber attack, which the Office was notified of on 25 October 2022.

The Commissioner investigated whether Medibank’s practices complied with Australian Privacy Principle (APP) 11.1, which requires companies to “take such steps as are reasonable in the circumstances to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure”.

As a result of this inquiry, the Commissioner now alleges that between March 2021 and October 2022, Medibank put at severe risk the privacy of 9.7 million Australians by “failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988″.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said Commissioner Tydd.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

The Federal Court is able to impose a civil penalty of up to $2.22 million for proceedings like this for each contravention of section 13G of the Privacy Act. Collectively, based on the total number of contraventions, this could add up to a $21 trillion penalty for the health insurer – though a penalty of this startling magnitude is almost certain not to be imposed by the courts.

“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” Privacy Commissioner Carly Kind said.

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

In a statement made to the Australian Securities Exchange today, Medibank advised it was aware of the proceedings commenced by the OAIC and signalled its intention to “defend the proceedings”.

The OAIC said it also received a number of individual complaints related to the breach, as well as a representative complaint lodged by Maurice Blackburn Lawyers.