Medibank is being taken to the Federal Court by Australia’s privacy watchdog over alleged failures to protect personal information, stemming from a 2022 data breach.
The Office of the Australian Information Commissioner (OAIC) said it had filed “civil penalty proceedings” against the insurer on Wednesday morning.
Medibank said in a brief financial filing [pdf] that it "intends to defend the proceedings".
It said the decision followed an investigation into the data breach, which impacted 9.7 million current and former customers.
Acting Australian information commissioner Elizabeth Tydd said that the leak of stolen data to the dark web “exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime.”
iTnews reported in March that “over 11,000” cybercrime incidents had been linked by authorities to the Medibank breach.
Tydd said the OAIC would allege that Medibank “failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals,” she said.
The OAIC’s earlier investigation covered Medibank’s personal information management and security practices, and whether it took “reasonable” steps to protect information from unauthorised access.
The information commissioner can apply to the Federal Court to impose a civil penalty on a breached organisation; whether a penalty is forthcoming is entirely a decision of the Court.
.png&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
