Australian Information Commissioner announces a notification of MediSecure data breach

May 21, 2024 |

It is hardly a surprise that MediSecure would make a notification under the mandatory data breach notification provisions of the Privacy Act 1988. It is a very significant data breach involving very sensitive information. Today the Information Commissioner’s Office has announced a preliminary inquiry.

It is interesting that the Privacy Commissioner has used this statement to call for reform of Privacy laws.  That is topical given the Government has announced that it will introduce a Bill into Parliament in August.  By making something more than an anodyne statement the Privacy Commissioner has done something quite new.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has been notified of the data breach involving MediSecure.

The National Cyber Security Coordinator is working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response to this incident. The OAIC is actively engaging and collaborating with other agencies in this process, with a particular focus on the privacy of individuals and their personal information.

In accordance with our usual process, we have commenced preliminary inquiries with MediSecure to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

As information about a data breach is gathered and assessed, the initial focus for the OAIC is ensuring that affected individuals are appropriately informed, so they may take steps to protect themselves from any further risk to their personal information.

“While this situation is ongoing, any major data breach reinforces the reality of today’s world: there are increasing cyber threats and continual challenges to digital defences,” Australian Privacy Commissioner Carly Kind said.

“Protecting individuals’ personal information should be a top priority for all organisations, which should continually review and improve their practices and take control where they can. Only collect information that is necessary for you to carry out your business. Know what information you hold. And if that information is not necessary to your business, delete it.

“The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Reform of the Privacy Act is urgent, to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.”

In any data breach involving sensitive personal information, it is essential that individuals can find proper support. The OAIC has information on our website about data breach support and resources and responding to a data breach notification. Individuals are also encouraged to check the National Cyber Security Coordinator’s MediSecure cyber security incident webpage and the MediSecure website for updates about the incident.

Leave a Reply





Verified by MonsterInsights