This was published 5 months ago
Privacy watchdog sues Medibank over cyber hack
By David Swan
Australia’s privacy watchdog is suing health insurance giant Medibank following its October 2022 data breach, alleging the company breached the nation’s privacy laws and exposed its customers to a risk of identity theft, extortion and financial crime.
The Office of the Australian Information Commissioner (OAIC) has filed civil proceedings in the Federal Court against Medibank, following the hack that affected nearly 10 million current and past Medibank customers who had their information released on the dark web.
The watchdog alleges Medibank failed to take reasonable steps to protect customers’ personal information from misuse and unauthorised access, in breach of Australia’s Privacy Act, alleging one contravention of the Act for each of the 9.7 million affected customers.
The company is facing potential penalties of up to $2.22 million for each contravention of section 13G of the Privacy Act, which states “the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals”.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Australian Information Commissioner Elizabeth Tydd said on Wednesday.
“We allege Medibank failed to take reasonable steps to protect personal information it held, given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
In October 2022, criminals accessed basic account details of 9.7 million current and former Medibank customers, as well as the health claim data for about 160,000 Medibank customers, 300,000 customers of its budget arm, ahm, and 20,000 international customers. It was one of the worst cyber breaches ever reported in Australian history.
After the company refused to pay a $15 million ransom, the hacker published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.
Tydd said Medibank had a responsibility to adequately collect and hold customers’ sensitive health information, and that in the financial year ending June 2022 the company generated a revenue of $7.1 billion and an annual profit of $560 million.
Medibank said it intends to defend the proceedings.
The company is also facing a class action lawsuit brought by law firm Maurice Blackburn.
Russian man Aleksandr Ermakov has previously been named by the Australian government as the person responsible for the 2022 hack, and was reportedly detained in Russia in February. In January, the Australian government used new cyber laws for the first time to lay financial sanctions against him.
Privacy commissioner Carly Kind on Wednesday called the case a “wake-up call” for Australian organisations to invest better in their digital defences. She said her office had received multiple individual complaints from customers, as well as a representative complaint, lodged by Maurice Blackburn Lawyers.
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” she said.
“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
Australia’s second largest telco Optus is also facing Federal Court action over its 2022 data breach. Communications watchdog ACMA lodged paperwork with the court in May. Optus has said it will defend the proceedings.
Similarly to Medibank, the Optus breach affected nearly 10 million customers and left the company exposed to class action lawsuits and privacy investigations.
Over the past week, ticketing firms Ticketmaster and Ticketek were also both hit by data breaches in what cybersecurity experts warn has become a “new normal” of regular cyberattacks affecting Australian businesses.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.