Medibank could face $21.5 trillion fine over data theft
The Australian Information Commissioner has launched proceedings over Medibank's data breach. Photo: AAP
Medibank could face trillions of dollars in fines after the Australian Information Commissioner launched legal action over a major data breach.
The 2022 cybersecurity incident that affected 9.7 million Medibank and Ahm customers occurred when hackers stole personal and highly sensitive information and published it on the dark web.
The Office of the Australian Information Commissioner announced on Wednesday it had filed penalty proceedings in the Federal Court following an investigation into the incident, claiming the health insurance giant failed to adequately protect its customers in breach of privacy law.
The court could impose fines of up to $2.2 million for each contravention of the Privacy Act, creating a maximum possible fine of more than $21.5 trillion.
In a statement to the Australian Stock Exchange, Medibank said it intended to defend the proceedings.
The OAIC launched an investigation into Medibank’s actions in after it was notified of the data theft on October 25, 2022.
The incident involved criminals accessing information such as customers’ names, addresses, Medicare numbers, contact details, some passport numbers, and details of health procedures.
Some of the details were published on the dark web, which acting commissioner Elizabeth Tydd said left victims vulnerable to further crimes.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” she said.
“We allege Medibank failed to take reasonable steps to protect personal information given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
Any civil penalties issued against Medibank will be decided by the Federal Court.
Several Medibank customers have also lodged complaints with the AIC, and Maurice Blackburn has filed a class action lawsuit.
Privacy Commission Carly Kind said she hoped the court case would encourage other businesses to strenuously protect the sensitive data they held.
“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” she said.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
The Medibank hack was one of several recent corporate data attacks, including data theft from Optus, Ticketmaster, and financial services firm Latitude.
Electronic prescription firm MediSecure also revealed criminals had stolen its private data about customers last month, and published the information on the dark web.
In a statement, the company said it was working with the National Cyber Security Coordinator and forensic data experts to “confirm the extend of the data breach and all individuals impacted”.
-AAP