Medibank Data Breach – Legal Lessons

by | May 22, 2023 | Health Blog

In March 2023 we published a blog summarising the Commonwealth Attorney General’s Privacy Act Review Report which outlined 116 proposed changes to our privacy laws. This time we discuss the recent – and much publicised – Medibank Private Ltd (Medibank) data leak, the relevant legal issues, and what organisations should do to protect against legal fallout from a data breach of their own.

In October 2022, Medibank reported that ‘unusual activity’ on its network had resulted in its customer data being accessed and stolen by a third party.

The Medibank cyber-attack started with the theft of login details from an employee who had privileged access to the organisation’s internal systems. Once inside, the attacker found the customer database and used the stolen login details to develop a script that automated the extraction of client information. These credentials were sold on the dark web to an unknown buyer who used them to access Medibank’s internal network.

Medibank’s security team closed the backdoors through which stolen data was being extracted, but not before the personal information of some 9.7 million current and former customers was compromised. This included names, birth dates, phone numbers, email addresses, Medicare and passport numbers, and (in some cases) sensitive healthcare information such as codes associated with diagnosis and medical procedures.

Update

On 1 December 2022, the Office of the Australian Information Commissioner’s Office (OAIC) announced that it had initiated an inquiry into the Medibank data breach.[1] The investigation will concentrate on determining if Medibank implemented appropriate measures to safeguard the personal data in their possession from misuse, interference, loss, unauthorized access, or disclosure. Additionally, the probe will examine whether Medibank adequately established practices, procedures, and systems to guarantee adherence to the Australian Privacy Principles (APPs). If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then significant civil penalties may be imposed. As a result of changes to the Privacy Act 1988 (Cth) which commenced in late 2022, civil penalties for companies in appropriate cases may be up to the greater of: $50 million; or three times the value of benefits obtained or attributable to a breach (if quantifiable); or else, 30% of a company’s ‘adjusted turnover’ during the relevant ‘breach turnover period’.[2]

In addition to the OAIC investigation, Medibank is now facing multiple class action lawsuits from affected customers and shareholders who acquired interests in the health insurance provider in the last two years.

  • Affected customers allege that Medibank breached Australia’s privacy laws and failed to adequately protect the personal and health information of its current and former customers.
  • Shareholders allege that Medibank breached its continuous disclosure obligations under the Corporations Act 2001 (Cth), due to the non-disclosure of deficiencies in the company’s cyber security defences.

Protecting Against Data Breaches

The OAIC has broad powers under the Privacy Act to initiate investigations into possible data breaches. Decisions to investigate may be based on such things as complaints from individuals, media reports and social media commentary. The Medibank data breach is therefore a stark reminder that Organisations to which the Privacy Act and APPs apply must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.

  • The nature of these ‘reasonable steps’ will depend on the size, resources, business model, and complexity of an organisation’s operations. Healthcare businesses, for example, will typically handle large volumes of sensitive health information; so their internal practices, procedures, systems, IT and communication technology security measures must all be geared accordingly.
  • In the event of a data breach that is likely to cause serious harm, organisations must notify the OAIC as well as affected individuals – to help inform and enable affected individuals to take steps to protect themselves. We have previously written about notifiable data breaches (here).

If you seek any further information about your organisation’s privacy obligations, please contact David McMullen.

[1] https://www.oaic.gov.au/newsroom/oaic-opens-investigation-into-medibank-over-data-breach.

[2] The maximum civil penalty for individuals is now $2.5 million.

Blog summarising the Commonwealth Attorney General’s Privacy Act Review Report

David McMullen

David McMullen