The Australian privacy watchdog is taking Medibank to court over the insurer’s 2022 data breach, alleging the company did not adequately protect the data of its customers before the hack, which impacted nearly 10 million people.
The Office of the Australian Information Commissioner (OAIC) on Wednesday said it has filed civil penalty proceedings in Federal Court against Medibank, 18 months after it launched its investigation into Australia’s largest private health insurer.
The Federal Court will be able to apply a $2.22 million fine for each proven breach of the Privacy Act.
Medibank was hit with a cyber attack in October 2022, with hackers obtaining the personal data of 9.7 million current and former customers.
This personal information, which included Medicare numbers and sensitive medical information, was later published on the dark web.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including personal emotional distress and the material risk of identity theft, extortion and financial crime,” acting Australian Information Commissioner Elizabeth Tydd said in a statement.
The cyber attack has since been attributed to Russia-based ransomware-as-a-service crime group REvil, and earlier this year the federal government sanctioned Russian hacker Alexander Ermakov over his role in the data breach.
The OAIC is alleging that in the 18 months prior to the breach Medibank “seriously interfered” with the privacy of 9.7 million Australians because it failed to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure.
Australian Privacy Principle 11.1 requires companies to take steps that are reasonable in the circumstances to protect the information that it holds from unauthorised access or misuse.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” Ms Tydd said.
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
The OAIC opened its investigation into Medibank in late 2022, with a focus on its management and securing of personal information and whether these steps were reasonable.
The legal action should be a “wake-up call” for Australian companies to focus on their data handling practices, Privacy Commissioner Carly Kind said.
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely,” Ms Kind said.
“That is particularly the case when it comes to sensitive data. This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
The OAIC late last year also launched Federal Court action against Australian Clinical Labs Limited following a data breach of its MedLab Pathology business in mid-2022.
The OAIC will lose more than $11 million in funding next financial year and is facing growing backlogs of investigations and freedom of information reviews. Part of this funding reduction is the result of terminating funding provided to the office to investigate the Medibank and Optus data breaches.
The OAIC has six major privacy investigations currently open, with some now running for more than a year.
