HTGanzo - stock.adobe.com

OAIC files civil penalty action against Medibank

The OAIC alleges that Medibank failed to take reasonable steps to protect the personal information of 9.7 million Australians in the October 2022 data breach

The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court against Medibank for the October 2022 data breach that involved the personal and health information of millions of customers.

The OAIC alleged that from March 2021 to October 2022, Medibank “seriously interfered” with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

The proceedings follow an investigation initiated by Australia’s information commissioner, Angelene Falk, after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian information commissioner Elizabeth Tydd. 

Medibank’s business as a health insurance services provider centrally involves collecting and holding customers’ personal and sensitive health information. In the financial year ending June 2022, Medibank generated revenue of A$7.1bn and annual profit of A$560m.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said Tydd. 

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Australia’s privacy commissioner, Carly Kind, said organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely.

Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe
Carly Kind, privacy commissioner

“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe,” she added.

The OAIC commenced an investigation into Medibank’s privacy practices following the data breach and focused on whether the insurer’s acts or practices were an interference with privacy or a breach of Australian Privacy Principle (APP) 11.1. 

Under APP 11.1, Medibank is required to take such steps as are reasonable in the circumstances to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure. 

Read more about cyber security in Australia

Read more on Data breach incident management and recovery