A lawsuit has been filed against private health insurer Medibank over the 2022 data breach, with potential fines worth over $21 trillion. Image source: DocklandsTony, via Flickr.
The Australian Information Commissioner has filed a lawsuit against Medibank over the 2022 data breach that exposed millions of customers’ information to the dark web.
The Commissioner announced the lawsuit in a statement released on 5 June.
Medibank said it intends to defend the lawsuit in statement to the Australian Stock Exchange.
In October 2022, Medibank disclosed a hacker had stolen and released the personal data of 9.7 million customers — one of the largest data breaches in Australia.
The data included Medibank and its subsidiary ahm customers’ names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, and international students’ passport numbers.
An investigation into the breach by the Australian Signals Directorate (ASD) and the Australian Federal Police (AFP) linked Russian national Aleksandr Ermakov to the attack.
Medibank refused to pay the hacker an undisclosed amount in ransom, in line with official advice from the federal government.
Acting Commissioner Elizabeth Tydd said, “We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
Among the largest private health insurers in Australia, Medibank reportedly generated a revenue of $7.1 billion and an annual profit of $560 million earlier that year.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” said Tydd.
The Commissioner alleges Medibank’s failure to protect millions of customers’ personal information constitutes a breach of the Privacy Act 1988.
As the Federal Court can impose a civil penalty of up to $2.22 million for each individual breach, Medibank could face over $21 trillion in fines.
Privacy Commissioner Carly Kind said, “This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
