Information Commissioner sues Medibank

The Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web.

The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd.

Medibank’s business as a health insurance services provider centrally involves collecting and holding customers’ personal and sensitive health information, said the Office of the Australian Information Commissioner (OAIC) in a statement. In the financial year ending June 2022, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” Tydd said.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Privacy Commissioner Carly Kind said, “Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data.

“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

The OAIC investigation focused on whether Medibank’s acts or practices were an interference with privacy or a breach of Australian Privacy Principle (APP) 11.1.

Under APP 11.1, Medibank is required to take such steps as are reasonable in the circumstances to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.

The investigation considered Medibank’s practices regarding the management and securing of personal information and whether such steps were reasonable in the circumstances to protect the personal information from unauthorised access.

The Australian Information Commissioner may apply to the Federal Court for a civil penalty order where an entity is alleged to have engaged in serious or repeated interferences with privacy in contravention of section 13G of the Privacy Act.

For these proceedings, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). Whether a civil penalty order is made and the amount are matters before the court.

The OAIC has also received related multiple individual complaints and a representative complaint.

Image credit: iStock.com/JuSun