Medibank faces trillion-dollar fine for data breach

Medibank is facing multi-million dollar fines following the Australian privacy watchdog’s decision to take them to court over the healthcare insurer’s October 2022 data breach. 

If the court finds against Medibank on all counts and inflicts the maximum penalties, the fines could theoretically reach the trillions. 

The Office of the Australian Information Commissioner (OAIC) is the independent national regulator of privacy and freedom of information and has issued civil proceedings in the Federal Court over the 2022 breach.

Trillion-dollar fines

The OAIC is alleging a contravention for each of the 9.7 million customers, and each contravention comes with a maximum penalty of $2.2 million. If the courts agreed to the maximum penalty the fines could total $21 trillion.

Changes to the Privacy Act in 2022 capped the maximum penalty at $50, but as the breach occurred before that date, Medibank faces the former fine schedule. 

The OAIC alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said acting Australian Information Commissioner Elizabeth Tydd. 

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

In October 2022 Medibank and its subsidiary ahm were hacked. The hackers demanded a ransom, which Medibank refused to pay and as a result, some customer data was posted to the dark web, including names, addresses, birthdays, phone numbers, email addresses, customer numbers and passport numbers for international students. Medibank also confirmed almost 500,000 heath claims were stolen. 

Russian hacker named

A Russian national named Alexander Ermakov has been blamed for the attack. 

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Ms Tydd said.

For these proceedings, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G of the Privacy Act.

Several law practices have also commenced class action proceedings against Medibank.

University of NSW cyber security expert Richard Buckland told the ABC the massive breach demonstrated that Australian companies were often lax in the security standards.

“How can we be sure, despite their [companies’] protestations, that they’re actually looking after our data?” Professor Buckland said.

“In fact, it looks like probably on average, they’re not.”

“I think this action by the Information Commissioner is well overdue, I’m really glad it’s happening, and I think it will change the practice and attitudes of boards across the country.”

Medibank said it “intends to defend the proceedings” in a statement to the ASX.

Was your data stolen in the Medibank incident? Why not share your experience in the comments section below?

Also read: Health insurance complaints spike