)
Health insurer Medibank Private (ASX: MPL) is facing civil action over a cybercrime incident in 2022 that is said to have breached the privacy of 9.7 million customers.
The Office of the Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private, with the data protection authority alleging that the health insurer failed to take reasonable steps to protect the personal information of these customers from misuse and unauthorised access or disclosure.
The commissioner alleges that from March 2021 to October 2022, Medibank’s actions amounted to a serious interference with the privacy of the customers.
The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber-attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” says acting Australian Information Commissioner Elizabeth Tydd.
The commissioner notes that Medibank’s business involves collecting and holding customers’ personal and sensitive health information and that in the FY22 financial year the company generated a revenue of $7.1 billion and an annual profit of $560 million.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” says Tydd.
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
Medibank confirmed the civil action in a brief announcement to the ASX this morning.
“Medibank intends to defend the proceedings,” says the company.
Medibank faces a civil penalty of up to $2.22 million for each contravention of section 13G of the Privacy Act.
Privacy Commissioner Carly Kind says organisations that collect, use and store personal information “have a considerable responsibility to ensure that data is held safely and securely”.
“That is particularly the case when it comes to sensitive data,” she says.
“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
)
