Sunrise over Sydney

On 5 June 2024, the Australian Information Commissioner commenced civil penalty proceedings in the Australian Federal Court against Medibank Private Limited (an Australian health insurance provider) in relation to an October 2022 data breach.

On 25 October 2022, Medibank notified the Office of the Australian Information Commissioner (OAIC) of a data breach concerning sensitive personal information of 9.7m Australians (representing approximately 37% of Australia’s total population). As a result of a cyber-attack, malicious actors had gained access to a vast library of customer data which included identity details, government identifiers and medical and insurance records. Over the course of a number of weeks, the malicious actors ‘leaked’ sensitive personal information of Medibank customers and other impacted individuals onto the dark-web in the course of pursuing cyber ransoms from the major insurance-provider. 

The OAIC completed its investigations and determined that Medibank’s privacy practices did amount to an interference with the privacy of Australian individuals and has commenced civil penalty proceedings against the health insurer. Importantly, the OAIC’s proceedings are not a penalty for having suffered a data breach, or a penalty for failing to comply with Australian data breach notification obligations (Medibank did report the data breach in accordance with its obligations at law). Rather, the OAIC is alleging Medibank’s data security standards were insufficient – that Medibank failed to take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as from unauthorized access, modification or disclosure.

Squire Patton Boggs attorney Connor McClymont discusses this matter in detail on our Privacy World Blog, which can be read here.