Australian Privacy Watchdog Files Lawsuit Against Medibank Over 2022 Data Breach
The Australian privacy watchdog on Wednesday filed a lawsuit against Medibank, the country's largest private health insurer, for failing to protect its 9.7 million customers' personal information in a 2022 data breach incident.
The Australian Information Commissioner said in a civil penalty proceedings filed in the Federal Court that Medibank "seriously interfered" with the privacy of Australians by failing to take reasonable steps to protect their data from misuse and unauthorized access. These issues are allegedly in breach of the country's Privacy Act 1988, according to the OAIC.
βWe allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,β Tydd said. βWe consider Medibankβs conduct resulted in a serious interference with the privacy of a very large number of individuals.βPrivacy Commissioner Carly Kind put the responsibility of data security and privacy on the organizations that collect, use and store personal information. These orgnizations have a considerable responsibility to ensure that data is held safely and securely, particularly in the case of sensitive data, she said. βThis case should serve as a wakeup call to Australian organizations to invest in their digital defenses,β Kind added.
Aim and Findings of OAIC's Medibank Data Breach Investigation
OAIC commenced the investigation into Medibankβs privacy practices in December 2022 following an October data breach of Medibank and its subsidiary ahm. The investigation focused on whether Medibank's actions constituted a privacy interference or breached Australian Privacy Principle (APP) 11.1. This law enforcement mandates organizations to take reasonable steps in the protection of information from misuse, interference, and unauthorized access. The OAIC's findings suggested that Medibank's measures were insufficient given the circumstances. Under section 13G of the Privacy Act, the Commissioner can apply for a civil penalty order for serious or repeated privacy interferences. For the period from March 2021 to October 2022, the Federal Court can impose a civil penalty of up to AU$2.2 million (approximately US$1.48 million) per violation.A spokesperson for the health insurer did not detail the plan of action against the lawsuit but told The Cyber Express that βMedibank intends to defend the proceedings.β