Huge potential fines on the table as Medibank sued over 2022 data breach

Huge potential fines on the table as Medibank sued over 2022 data breach
  • PublishedJune 5, 2024

Health insurance giant Medibank is facing a maximum fine theoretically in the trillions of dollars after the Australian Information Commissioner filed proceedings in the Federal Court over its 2022 cyber attack.

Soon after the hack on the on health insurer and its subsidiary ahm, some customer data was posted to the dark web.

The hackers intentionally targeted sensitive patient information, which included data about four people who had undergone pregnancy terminations, as well as many more names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for customers of Medibank budget brand ahm (but not expiry dates), and in some cases passport numbers for international student customers (but not expiry dates).

Medibank refused to pay the ransom demanded by the hackers, something the federal government said was consistent with official advice.

The commissioner now alleges Medibank seriously interfered with the privacy of 9.7 million Australians by “failing to take reasonable steps to protect their personal information”.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Acting Australian Information Commissioner Elizabeth Tydd said in a statement.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Huge potential fines

The Commissioner is subsequently going after the company for misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

Each individual contravention comes with a maximum penalty of $2.22 million.

The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.

It will be up to the Federal Court whether any fines are applied.

Changes to the piracy act in late 2022 capped the maximum fine a company could receive at $50 million, but the date of the breach allows the commissioner to sue Medibank under the previous rules.

The hack on Medibank was one of the biggest to ever hit Australian consumers, and sits alongside other headline-making breaches at Optus and Latitude.

The group’s net profit after tax for the first half of financial year 2023 was up 5.9 per cent to $233.3 million.

Its revenue rose 1.3 per cent to $3.65 billion.

Medibank confirmed it knew about the legal action brought by OAIC, and said it “intends to defend the proceedings”, in a statement to the ASX.


Leave a Reply

Your email address will not be published. Required fields are marked *