Legal action has been initiated against Medibank by Australia’s privacy watchdog for alleged lapses in safeguarding personal data following a security incident in 2022.
The Australian Information Commissioner Office (OAIC) revealed that it lodged “civil penalty proceedings” against the insurance company earlier on Wednesday.
In response, Medibank mentioned in a concise financial disclosure [pdf] that it plans to challenge the legal action.
It disclosed that the decision was made following an inquiry into the data compromise, which affected 9.7 million existing and past clients.
Acting Australian information commissioner Elizabeth Tydd remarked that the disclosure of pilfered data on the dark web “left a significant number of individuals vulnerable to potential harm, including emotional distress and the substantial threat of identity theft, blackmail, and financial malfeasance.”
iTnews indicated back in March that authorities had identified “more than 11,000” cybercrime occurrences tied to the Medibank incident.
Tydd stated that the OAIC would argue that Medibank “neglected to implement rational precautions to secure the personal information in its possession, considering its scale, capabilities, the nature and volume of the sensitive and personal data it managed, and the peril of significant harm to an individual in case of a violation.”
“We believe that Medibank’s actions led to a major intrusion into the privacy of a considerable number of individuals,” she added.
The OAIC’s prior examination focused on Medibank’s handling and safeguarding of personal details, and the adequacy of measures taken to prevent unauthorized access to the data.
The information commissioner has the authority to seek a civil fine from an entity that has experienced a security breach; however, the decision on imposing a penalty lies entirely with the Court.
About Author
