OAIC Launches Data Breach Legal Action Against Medibank


Medibank Private is off to court after the Australian Information Commissioner (OAIC) launched Federal Court civil proceedings this week concerning a data breach at Medibank and its subsidiary, ahm.

The OAIC alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

At the time, Medibank was the subject of a cyber attack in which threat actors accessed the personal information of millions of current and former customers. This information was later released on the dark web.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said acting Australian Information Commissioner Elizabeth Tydd. “We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”

The breach resulted in the OAIC investigating whether Medibank’s acts or practices interfered with privacy or breached Australian Privacy Principle 11.1. The OAIC’s investigation considered Medibank’s practices regarding the management and securing of personal information and whether such steps were reasonable in the circumstances to protect the personal information from unauthorised access.

For these proceedings, the Federal Court can impose a civil penalty of up to AUD2.2 million for each contravention.