The legal actions follow an investigation from the Australian Information Commissioner Angelene Falk into the Medibank cyberattack in which threat actors accessed the personal information of millions of current and former Medibank customers. The personally identifiable data that was stolen in this breach also ended up being published on the dark web. “The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd. Tydd emphasized that Medibank’s business as a health insurance services provider involves collecting and holding customers’ personal and sensitive health information.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” Tydd said. “We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Privacy Commissioner Carly Kind put the responsibility of data security and privacy on the organizations that collect, use and store personal information. These orgnizations have a considerable responsibility to ensure that data is held safely and securely, particularly in the case of sensitive data, she said. “This case should serve as a wakeup call to Australian organizations to invest in their digital defenses,” Kind added.

Aim and Findings of OAIC's Medibank Data Breach Investigation

OAIC commenced the investigation into Medibank’s privacy practices in December 2022 following an October data breach of Medibank and its subsidiary ahm. The investigation focused on whether Medibank's actions constituted a privacy interference or breached Australian Privacy Principle (APP) 11.1. This law enforcement mandates organizations to take reasonable steps in the protection of information from misuse, interference, and unauthorized access. The OAIC's findings suggested that Medibank's measures were insufficient given the circumstances. Under section 13G of the Privacy Act, the Commissioner can apply for a civil penalty order for serious or repeated privacy interferences. For the period from March 2021 to October 2022, the Federal Court can impose a civil penalty of up to AU$2.2 million (approximately US$1.48 million) per violation.

A spokesperson for the health insurer did not detail the plan of action against the lawsuit but told The Cyber Express that ”Medibank intends to defend the proceedings.”

Set Aside Millions to Fix the Issues

Australia's banking regulator last year advised Medibank to set aside AU$250 million (approximately US$167 million) in extra capital to fix the weaknesses identified in its information security after the 2022 data breach incident. The Australian Prudential and Regulation Authority (APRA) said at the time that the capital adjustment would remain in place until an agreed remediation programe was completed by Medibank to the regulator's satisfaction. Medibank told investors and customers that it had sufficient existing capital to meet this adjustment. APRA also said it would conduct a technology review of Medibank that would expedite the remediation process for the health insurer. It did not immediately respond to The Cyber Express' request for an update on this matter.

Medibank Hacker Sanctioned and Arrested

The United States, Australia and the United Kingdom earlier in the year sanctioned a Russian man the governments believed was behind the 2022 Medibank hack. 33-year-old Aleksandr Gennadievich Ermakov, having aliases AlexanderErmakov, GustaveDore, aiiis_ermak, blade_runner and JimJones, was said to be the face behind the screen. Post the sanctions, Russian police arrested three men including Ermakov, on charges of violating Article 273 of the country's criminal code, which prohibits creating, using or disseminating harmful computer code, said Russian cybersecurity firm F.A.C.C.T. Extradition of Ermakov in the current political environment seems highly unlikely. The legal action against Medibank serves a critical reminder for organizations to prioritize data security and adhere to privacy regulations. The outcome of this lawsuit will likely influence how Australian entities manage and protect personal information in the future, reinforcing the need for stringent cybersecurity practices in an evolving digital landscape. “Organizations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe,” Kind said.