Australian health insurance firm Medibank under fire over security blunders years after cyber attack

People walk past a shop front for Australia's largest health insurance company Medibank, in Sydney on November 11, 2022.
(Image credit: Getty Images)

The Office of the Australian Information Commissioner (OAIC) has hit Medibank with civil penalty proceedings in federal court, seeking to hold the firm to account for an alleged mishandling of public data. 

The OAIC referred specifically to the data breach at the firm in 2022 and claimed that, from March 2021 to October 2022, Medibank “seriously interfered” with the privacy of nearly 10 million (9.7 million) Australians.

Medibank stands accused of failing to take reasonable steps to protect the personal data of its customers from “misuse and unauthorized access or disclosure,” putting it in breach of the country's privacy legislation.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion, and financial crime,” said acting Australian Information Commissioner, Elizabeth Tydd.

Tydd went on to reiterate that, given Medibank’s size and resources, as well as the nature and volume of the data in question, the firm did not pursue a “reasonable” course of action in protecting customers.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals,” she added.

Australian privacy commissioner Carly Kind made similar comments as part of the OAIC’s announcement, drawing attention to the responsibility that organizations have in protecting personal data.

“Organizations that collect, use, and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” Kind said.

She said that this particular case against Medicare should serve as a “wake up call” to Australian organizations, prompting companies to invest more heavily in cyber security and ensure that they are prepared to meet developing challenges.

“Organizations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe,” she added.

Medibank has fought a drawn-out battle

Medibank suffered the attack nearly two years ago in October 2022. Data belonging to millions of former and current customers was exposed in the breach, including various pieces of sensitive information such as health claims and passport numbers.

The health insurance firm originally stated that threat actors gained access to 3.9 million customer records. Even with 3.9 million affected, this would have been a severe breach, with this figure constituting 15% of the county’s population at the time.

It was later revealed, however, that around 9.7 million customers were affected.

Costs continued to mount in 2023 as the firm revealed that it had spent about $26.2 million AUD (£14.7 million) in remediation costs. The firm said at the time it expected costs to rise to more than $45 million.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.