Peter A Clarke

The Australian Information Commissioner has issued civil penalty proceedings against Medibank Private Limited arising from the massive October 2022 data breach. That is 20 months after the breach. This adds to Medibank’s litigation arising from that data breach. There is also a class action in the Federal Court against Medibank, Zoe Lee McClure v Medibank Private Limited (ACN 080 890 259).   It is also subject to a representative complaint.

Medibank did not issue a press release but it did released a notice to the Australian Stock Exchange stating:

The Commissioner’s press release provides:

The Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd.

Medibank’s business as a health insurance services provider centrally involves collecting and holding customers’ personal and sensitive health information. In the financial year ending June 2022, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said Commissioner Tydd.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Privacy Commissioner Carly Kind said, “Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data.”

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

Background

The Office of the Australian Information Commissioner (OAIC) commenced an investigation into Medibank’s privacy practices following a data breach of Medibank and its subsidiary ahm that was notified to the office on 25 October 2022.

The investigation focused on whether Medibank’s acts or practices were an interference with privacy or a breach of Australian Privacy Principle (APP) 11.1.

Under APP 11.1, Medibank is required to take such steps as are reasonable in the circumstances to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.

The OAIC’s investigation considered Medibank’s practices regarding the management and securing of personal information and whether such steps were reasonable in the circumstances to protect the personal information from unauthorised access.

The Australian Information Commissioner may apply to the Federal Court for a civil penalty order where an entity is alleged to have engaged in serious or repeated interferences with privacy in contravention of section 13G of the Privacy Act.

For these proceedings, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). Whether a civil penalty order is made and the amount are matters before the court.

The OAIC has also received related multiple individual complaints and a representative complaint.

The Australian has covered the story with Medibank to defend OAIC’s federal court claims it ‘seriously interfered’ with customer privacy which provides:

Australia’s largest private health insurer Medibank will defend allegations it failed to protect the personal information of its near 10 million current and former members in the wake of a major cyber attack.

The Australian Information Commissioner is taking Medibank to federal court after its major cyber security breach in 2022 when 9.7 million of its current and former customer’s private information was stolen and weaponised by a Russian hacker.

When initial demands weren’t met, the hacker went as a far as disclosing hundreds of procedures including the termination of non-viable pregnancies online, a move Medibank chief executive David Koczkar said was outright “disgraceful”.

The OAIC alleges that Medibank’ “seriously interfered” with the privacy of its 9.7 million customers between March 2021 to October 2022 s by failing to take reasonable steps to protect their private information. This action demonstrated failure to comply with the Privacy Act 1988.

Acting Information Commissioner Elizabeth Tydd said that “given its size, resources, the nature and volume of the sensitive and personal information it handled”, Medibank should have done more to protect the data of its customers. The company earned $7.1bn in revenue with an annual profit of $560m the year the breach took place.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Ms Tydd said.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

The OAIC’s action against Medibank should arrive as a “wakeup call” to other organisations that collect large amounts of data, Privacy Commissioner Carly Kind said.

“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” Ms Kind said.

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

Earlier this year, Russian authorities reportedly detained Aleksandr Ermakov, the alleged perpetrator of Medibank’s massive data breach, as the Australian Federal Police continue to investigate the cyber assault.

The detainment arrived one more after the Albanese government named Ermakov as the mastermind behind the breach and Australia, the US and the UK imposed sanctions on him.

The sanctions were aimed at limiting the ability of any criminal organisations to do business, including the potential exchange of any hacked data with Ermakov. That made it a criminal offence punishable by up to 10 years’ jail to do business, including through cryptocurrency or ransomware payments, with hackers that the government identified.

Medibank is the second major Australian company to face federal court action over failing to protect its customer’s data in recent weeks.

Late in May, the Australian Communications Media Authority filed proceedings against Australia’s second-largest telco, claiming that Optus’ action on September 17 and 20, 2022, did not meet the requirements of the Telecommunications act.

The Financial Review has also covered the story with Medibank faces maximum $21.5 trillion fine in new cyber hack case