The Office of the Australian Information Commissioner Commences Legal Proceedings Against Medibank for Data Breach
Legal action has been initiated against Medibank Private by the Australian Information Commissioner (OAIC) in the Federal Court this week due to a data breach incident at Medibank and its subsidiary, ahm.
The OAIC claims that during the period from March 2021 to October 2022, Medibank unlawfully interfered with the privacy of 9.7 million Australians as it failed to implement adequate measures to safeguard their personal data from unauthorized access or disclosure, in violation of the Privacy Act 1988.
A cyber attack targeted Medibank during that time, resulting in threat actors gaining access to the personal information of numerous current and former customers. Subsequently, this information was made public on the dark web.
“By exposing personal data on the dark web, a significant number of Australians were put at risk of serious harm, including emotional distress, identity theft, extortion, and financial crimes,” stated acting Australian Information Commissioner Elizabeth Tydd. “Our claim is that Medibank neglected to take appropriate measures to secure the personal data it managed, considering its scale, resources, the nature and volume of sensitive information involved, and the potential risks of serious harm resulting from a breach.”
The breach prompted an investigation by the OAIC to determine whether Medibank’s actions violated privacy regulations or Australian Privacy Principle 11.1 by analyzing the company’s procedures for handling and securing personal data and assessing the adequacy of these measures in protecting against unauthorized access.
In the ongoing legal proceedings, the Federal Court has the authority to levy civil penalties of up to AUD2.2 million for each breach.
About Author
