Skip to main content

Home  »  Australia Business NewsBusiness NewsWorld Business & Employment News   »   Medibank Faces Civil Action Over Cyberattack That hit 9.7 Million Customers

Medibank Faces Civil Action Over Cyberattack That hit 9.7 Million Customers

By Nithya Bose in Australia Business News, posted June 6, 2024

Medibank branch in Melbourne Australia

Health insurer Medibank Private is facing civil action over a 2022 cyberattack that compromised the privacy of 9.7 million customers. 

The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court.

It alleges that Medibank failed to take reasonable steps to protect personal information from misuse and unauthorized access or disclosure.

The OAIC claims that Medibank's actions from March 2021 to October 2022 seriously interfered with customer privacy. 

This legal action follows an investigation initiated by Australian Information Commissioner Angelene Falk after a cyberattack.

The attack exposed the personal information of millions of current and former Medibank customers, later released on the dark web.

employer

Acting Australian Information Commissioner Elizabeth Tydd said: “The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion, and financial crime.”

Tydd emphasized that Medibank’s business involves handling sensitive health information.

She said the company generated $7.1 billion in revenue and $560 million in profit in the FY22 financial year. 

Tydd added: “We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Need Career Advice? Get employment skills advice at all levels of your career

Medibank confirmed the civil action by announcing to the ASX: “Medibank intends to defend the proceedings.”

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion, and financial crime”

The insurer faces a civil penalty of up to $2.22 million for each contravention of section 13G of the Privacy Act. 

Privacy Commissioner Carly Kind highlighted organizations' significant responsibility in ensuring data security, particularly for sensitive information.

Kind said: “This case should serve as a wake-up call to Australian organizations to invest in their digital defenses to meet the challenges of an evolving cyber landscape.

“Organizations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

Follow us on YouTubeXLinkedIn, and Facebook


Most Read News

The scales of Justice

Crime and Fraud

Walter Watts’ $7m Cheque Scam Was The First “White Collar” Crime
WEndy's

Spotlight

“Where’s the Beef?”- The Iconic 1980s Wendy’s Commercial
Department for Justice, which has charged hundreds of people over healthcare scams

Crime and Fraud

Fraudster Stole $145M, Fled The Country And Was Jailed for 845 Years