The Australian Information Commissioner (AIC), a Government agency, has filed Federal Court proceedings against health insurance provider Medibank over its 2022 data breach.
It comes after the AIC conducted an investigation looking into Medibank’s privacy practices.
It alleges Medibank failed to take reasonable steps to protect the data of 9.7 million Australians.
Medibank could face penalties of up to $2.2 million in fines for each breach of the Privacy Act.
Context
The 2022 data breach impacted Medibank and its health insurance subsidiary ‘ahm‘. In November 2022, Federal Police confirmed Russian hackers were responsible for the hack.
Hackers released sensitive patient information, including the details of abortions and drug use treatment.
Names, addresses, dates of birth and phone numbers were also stolen.
The hackers posted data obtained during the breach to the dark web after Medibank refused to pay a ransom.
Why the Government is suing Mediban
The AIC alleges Medibank’s safety measures were poor given its size, resources and the nature and volume of the sensitive and personal information it handled.
Privacy Commissioner Carly Kind said: “Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely.”
“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” Kind said.
Medibank Response
Medibank has previously apologised to its impacted clients.
In a statement today, the health insurer said it intends to fight the proceedings.
TDA contacted Medibank for comment but it declined to respond as the matter is now before the courts.
Medibank also faces a class action brought by former and current customers over the breach.