Australia's privacy watchdog has filed civil penalty proceedings in the Federal Court against Medibank, alleging the health insurer “seriously interfered” with the privacy of millions of Australians in relation to its landmark 2022 data breach.

In October 2022, Medibank suffered a major cyber incident which saw the personal information of 9.7 million current and former customers exposed to hackers, who later released the stolen data on the dark web after being denied a ransom payout.

Now, the Office of the Australian Information Commissioner (OAIC) alleges Medibank interfered with the privacy of those Australians by “failing to take reasonable steps” to protect their personal information from misuse and unauthorised access or disclosure.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”

Follows 18 months of investigation

The OAIC first launched an investigation into Medibank’s privacy practices in December 2022, focusing on whether Medibank’s acts or practices were an “interference with privacy or a breach of” Australian Privacy Principle (APP) 11.1.

Under APP 11.1, Medibank is essentially required to take reasonable steps – based on the circumstances – to protect the information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

While OAIC did not publicly explain where Medibank fell short of this requirement, the insurer has previously gone on record to reveal the hack involved stolen credentials which were in turn used to access Medibank’s network through a misconfigured firewall.

Medibank said a criminal actor was then able to “obtain further usernames and passwords” to access a number of Medibank’s systems, and that access was not appropriately contained.

Furthermore, the incident alongside others at the likes of Optus have sparked a long-needed debate around Australia’s data retention practices – given the breach saw droves of former customers’ data exposed, many Australians have voiced confusion over why their information was kept by Medibank beyond the minimum required period of seven years.

Big penalties for privacy blunders

Victoria Police reports over 11,000 cyber crime incidents have been linked to the Medibank data breach, with that number only covering crimes which have been matched to reports on ReportCyber, the Australian government's online cyber crime reporting tool.

Medibank is now facing potential penalties of up to $2.22 million for each contravention of section 13G of the Privacy Act – narrowly avoiding significantly higher penalty caps which were introduced November 2022.

Matt Boon, senior research director at Australian tech research and advisory firm Adapt told Information Age while the penalty amount is “obviously theoretical”, it will make the heads of Australia’s largest companies “reconsider how laws could be applied to them if they don't have their house in order on the cyber security front.”

“Given we're yet to see any breached Australian company really made an example of, this is a message from regulators that they no longer want to be seen as a toothless tiger,” said Boon.

Privacy commissioner Carly Kind added organisations which collect, use and store personal information have a “considerable responsibility” to ensure data is treated safely, particularly when it comes to sensitive data (such as the medical information exposed during the Medibank incident).

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” said Kind.

“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

The OAIC has also accepted a representative complaint against Medibank lodged by Maurice Blackburn Lawyers, while in June 2023, the Australian Prudential and Regulation Authority (APRA) slammed the company with a whopping $250 million penalty after identifying a range of weaknesses in its information security environment.

In addition to its recent action against Medibank, the OAIC is also conducting investigations relating to data breaches at Optus, Latitude Financial Services and HWL Ebsworth, and has further commenced civil penalty proceedings against Australian Clinical Labs.