Share this article on:
Medibank has found itself in the Federal Court after the Office of the Australian Information Commissioner (OAIC) filed a lawsuit against the health insurer relating to the data breach it suffered back in 2022.
For context, the Medibank data breach occurred in October 2022, resulting from a ransomware attack by a member of the Russia-based REvil ransomware gang, 33-year-old Aleksandr Ermakov.
The data of 9.7 million current and former Medibank customers was exposed in the breach, after the health insurer refused to pay $10 million in ransom payments to the group.
Now, the OAIC said it is filing “civil penalty proceedings” against the health insurer, which said it “intends to defend” against.
The filing accuses Medibank of failing to take the necessary steps to protect its customers and their data from being used for malicious purposes by threat actors, after an OAIC investigation determined that the insurer’s acts and practices breached Australian Privacy Principle (APP) 11.1
APP 11.1 states that “if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: from misuse, interference and loss; and from unauthorised access, modification or disclosure”.
The OAIC is arguing that Medibank’s actions from March 2021 to October 2022 are a breach of section 13G of The Privacy Act 1988.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” acting Australian information commissioner Elizabeth Tydd said.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
According to a federal cyber crime inquiry by Victoria Police earlier this year, over 11,000 cases of cyber crime have been connected to the Medibank data breach.
If the lawsuit is ruled in favour of the OAIC, the Federal Court can impose a civil penalty as high as $2,220,000 for each breach of section 13G of the Privacy Act.
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” privacy commissioner Carly Kind said.
“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
The latest proceedings are likely to be heavily influenced by another proceeding in which Medibank is attempting to claim legal professional privilege over a Deloitte report into the data breach.
Lawyers behind a class action against the insurer have told the Federal Court this report is being kept hidden from them despite a number of promises made by Medibank in late 2022 and 2023 to be transparent with the public and to share everything it learnt with other Australian businesses.
Appearing in court on Thursday (23 May), chair Michael Wilkins was questioned by counsel Wendy Harris KC on how the insurance giant could have committed to sharing the key outcomes from the Deloitte report back in 2022–23, only to insist on its confidentiality now.
“We were committing to sharing the key outcomes where appropriate and that, to my mind, did not mean sharing the reports,” Wilkins said.
Harris pressed Wilkins on public statements he and the rest of the board made, including CEO David Koczkar, in media releases and on the Australian Securities Exchange (ASX) following the hack.
Harris told the court this included promises to keep the public informed and a commitment to strengthening Medibank’s systems but did not mention its dominant use as a legal document.
While the report will not necessarily become public if the court rules that Medibank must share it with the lawyers behind the class action, some details are likely to become public in the proceedings and could be used in the Federal Court’s other decisions.
The OAIC could also request access to the report.