Medibank is being sued by the Office of the Australian Information Commissioner (OAIC) over the significant data breach that occurred in October 2022. The breach affected 9.7 million current and former customers, whose personal information was released on the dark web.
The OAIC has filed civil proceedings in Australia’s Federal Court, alleging that Medibank breached Australia’s privacy act by failing to take reasonable steps to protect its customers’ personal information from misuse and unauthorised access.
The insurers face potential penalties of up to AU$2.22m for each contravention of section 13G of the Privacy Act, which could amount to a theoretical maximum fine of up to AU$21 trillion dollars, though the Federal Court will determine the final amount.
Elizabeth Tydd, Acting Australian Information Commissioner, said, “The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime.”
“We allege Medibank failed to take reasonable steps to protect personal information it held, given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” she added.
Medibank is already facing several class action lawsuits from legal firms such as Baker & McKenzie, Quinn Emanuel Urquhart & Sullivan, and Maurice Blackburn.
In the breach, hackers accessed basic account details of 9.7 million Medibank customers, including health claim data for about 160,000 Medibank customers, 300,000 customers of its budget arm, ahm, and 20,000 international customers. The data included sensitive information such as names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers.
Medibank refused to pay a AU$15m ransom demanded by the hackers, who subsequently published customer claim data for sensitive conditions, including abortions, drug and alcohol abuse, and mental health disorders, on the dark web. The Australian government had at the time supported Medibank’s decision not to pay the ransom.
Medibank has stated that it intends to defend the proceedings.
The OAIC’s legal action comes as other Australian companies, including Optus, Ticketmaster, and Ticketek face similar scrutiny over data breaches, highlighting the need for stronger protection measures for Australian businesses.
The Federal Court will determine the final amount of any fines imposed on Medibank. Changes to the Privacy Act in late 2022 capped the maximum fine a company could receive at AU$50m, but the date of the breach allows the commissioner to sue Medibank under the previous rules.
Privacy Commissioner Carly Kind emphasised the importance of data protection, commenting, “Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data.”
