Medibank to defend OAIC’s federal court claims it ‘seriously interfered’ with customer privacy
The nation’s largest private health insurer plans to fight allegations it failed to protect the private information of nearly 10 million Australians following a cyber attack.
Australia’s largest private health insurer Medibank will defend allegations it failed to protect the personal information of its near 10 million current and former members in the wake of a major cyber attack.
The Australian Information Commissioner is taking Medibank to federal court after its major cyber security breach in 2022 when 9.7 million of its current and former customer’s private information was stolen and weaponised by a Russian hacker.
The news sent Medibank’s shares down almost 2 per cent on Wednesday, as weary investors tried to gauge the impact of a potential civil penalty.
The OAIC alleges that Medibank’ “seriously interfered” with the privacy of its 9.7 million customers between March 2021 to October 2022 s by failing to take reasonable steps to protect their private information. This action demonstrated failure to comply with the Privacy Act 1988.
When the hacker’s initial demands weren’t met, they went as far as publicly disclosing hundreds of procedures including the termination of non-viable pregnancies on the dark web, a move Medibank chief executive David Koczkar said was outright “disgraceful”.
Acting Information Commissioner Elizabeth Tydd said that “given its size, resources, the nature and volume of the sensitive and personal information it handled”, Medibank should have done more to protect the data of its customers. The company earned $7.1bn in revenue with an annual profit of $560m the year the breach took place.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Ms Tydd said.
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
InvestorHub co-chief executive Ben Williamson said Medibank needed to address shareholders immediately on the potential costs and impact of the case.
“The potential fine Medibank is facing is likely to make many of its shareholders nervous, and in these cases, speculation will only serve to make things worse. To protect both Medibank and its shareholders, the company should get on the front foot in addressing this news, how it might impact their investment in Medibank, and what the company is doing about it,” he said.
The OAIC’s action against Medibank should arrive as a “wakeup call” to other organisations that collect large amounts of data, Privacy Commissioner Carly Kind said.
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” Ms Kind said.
“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
Some have said that the OAIC’s move was an attempt to demonstrate to the public that it was not “a toothless tiger”.
“Penalties need to hurt to make sure leaders take cybersecurity seriously, but they’d also need to factor in a constructive element that doesn’t cripple the business’ ability to continue serving its customers, who’ve already suffered enough,” said Matt Boon, Senior Research Director at Adapt, told The Australian.
“Given we’re yet to see any breached Australian company really made an example of, this is a message from regulators that they no longer want to be seen as a toothless tiger.”
Earlier this year, Russian authorities reportedly detained Aleksandr Ermakov, the alleged perpetrator of Medibank’s massive data breach, as the Australian Federal Police continue to investigate the cyber assault.
The detainment arrived one month after the Albanese government named Ermakov as the mastermind behind the breach and Australia, the US and the UK imposed sanctions on him.
The sanctions were aimed at limiting the ability of any criminal organisations to do business, including the potential exchange of any hacked data with Ermakov. That made it a criminal offence punishable by up to 10 years’ jail to do business, including through cryptocurrency or ransomware payments, with hackers that the government identified.
Medibank is the second major Australian company to face federal court action over failing to protect its customer’s data in recent weeks.
Late in May, the Australian Communications Media Authority filed proceedings against Australia’s second-largest telco, claiming that Optus’ action on September 17 and 20, 2022, did not meet the requirements of the Telecommunications act.
More Coverage
iPhone 16 review: Apple faces its ‘Barbie moment’
Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.
Meta urged to regulate youth data use
Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.