What’s happening with the Medibank data breach litigation?

News this week was that Medibank failed in its bid to stop the OAIC investigations into the October 2022 data breach.

But what’s the background to the case and what does the loss mean for Medibank? If you’re interested in the Judgment of Beach J it is here – and it is an interesting read.  If you are just interested in the highlights then here goes…

What Happened: The 2022 Medibank Data Breach

First of all, a quick reminder of what happened.

Medibank first detected some “unusual activity” on its internal systems on 13 October 2022. After dealing with the cyber-attack, Medibank said in a statement that there was “no evidence that customer data has been accessed” during the breach.

It turned out that the attackers had exfiltrated  personal details of all 9.7 million of its customers. The attackers first tried extort Medibank, demanding a ransom that the company refused to pay.

The saga ended with the hackers dumping the full 5GB dataset online.  According to Maurice Blackburn, the law firm running the representative complaint to the OAIC (discussed further below), this dataset included:

• current and former customers’ names,
• dates of birth,
• addresses,
• phone numbers and emails,
• some Medicare card numbers,
• some passport numbers,
• health claim data (service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered),
• some next-of-kin contact details for My Home Hospital patients, and
• health provider details, including names, provider numbers and addresses.

(A full timeline of the data breach is here.)

A rookie mistake?

So, how did this happen? According to some, because of some fairly basic errors.

Medibank shared a brief outline of how Russian-based attackers accessed its systems in the Medibank half-yearly report. Access was obtained “using a stolen Medibank username and password used by a third-party IT service provider”.  According to the report: “The criminal used the stolen credentials to access Medibank’s network through a misconfigured firewall which did not require an additional digital security certificate.” The attacker then leveraged this access to gather further usernames and passwords, giving access to a number of Medibank’s systems.

Providing a third party with uncontrolled access to its systems has been described as a “rookie mistake” by Medibank.

Given the seriousness and extent of the breach it is not a surprise that litigation has ensured.  And that is where the fun beings.

Who’s Suing? The Three Medibank Data Breach Litigation Matters

At the heart of the recent decision is that there are three different ‘cases’ underway relating to the Medibank breach, and lawyers are concerned that it could all get too confusing.

Two of the cases involve the Australian Information Commissioner (AIC) and its ‘subsidiary office’ – the Office of the Australian Information Commissioner (OAIC). And the other is the ‘class action’ bought in the Federal Court.

Looking at those more closely we have:

1. AIC -initiated investigation: This is the investigation that the AIC is undertaking off its own bat.  It has the power to investigate breaches of the Privacy Act (called Commissioner Initiated Investigations) and, among other powers, to make ‘determinations’ as a result of any such investigation.  The AIC’s determination may include requiring payment of compensation and a requirement for Medibank to take acts to rectify any issues to ensure a similar breach does not occur.
2. OAIC representative investigation: This investigation is being undertaken by the OAIC and is in response to a representative complaint lodged with the OAIC against Medibank (by Maurice Blackburn on behalf of affected individuals).  This investigation is very similar to the AIC-initiated investigation but has some different nuances because there are complainants in this process. These ‘nuances’  include looking to some sort of conciliation of the complaint.  Ultimately, however, if no conciliation is possible, then the OAIC can make a determination in the same way as outlined above in related to AIC-initiated investigations.
3. Class action: In addition to the above investigations, there is a separate class action being pursued in the Federal Court (class action)

What’s the most recent case about?

What could possibly go wrong with two investigations and one court case underway, right?

Medibank is worried it could all get too confusing.  Consequently, Medibank brought an application in the Federal Court asking for an injunction to restrain the AIC from proceeding with its own investigation (#1 above) and the OAIC from proceeding with the representative complaint investigation (#2 above) because they were of the view that the AIC-initiated investigation and the OAIC-representative complaint investigation would give rise to a risk of factual and legal conclusions.

Rather than allow the AIC and OAIC investigations to continue, Medibank wanted any findings to be made with respect to the same or overlapping questions being asked by the Federal Court in the class action.

One can guess why Medibank might prefer the Federal Court route: Federal Court proceedings have far more legal process and rules than an investigation, giving lawyers the opportunity to object and argue about the evidence presented (among other things).

It is also highly likely that the Federal Court proceedings will take far, far longer than the regulators’ investigations, with any decision likely to be made many years after the breach (when the distress and anxiety caused has abated and perhaps another major data breach overshadows this one).  Federal Court proceedings are also very expensive (particularly as they drag on).

This could be a problem for regulators like the AIC (and OAIC), which have been notoriously underfunded for decades.

What did the court decide?

Medibank’s request for an injunction to set the AIC and OAIC investigations was dismissed.

Beach J noted that the investigations and the class action would consider the same relevant legal principles, facts and context but didn’t see that an injunction was warranted.

The reasons for the decision included that:

• OAIC determinations aren’t binding or conclusive and enforcement requires an application to the Federal Court (which gives the Federal Court the opportunity to review the facts in any case);
• In order for inconsistent findings to occur, the Federal Court class action would need to proceed to trial and judgment, and this is unlikely to happen any time soon;
• The OAIC determination is likely to be made prior to the commencement of the class action – as the docket judge in the Federal Court proceeding, Beach J is able to ensure that the Federal Court class action proceeding takes place after any OAIC determinations and enforcement proceedings
• If the OAIC representative complainant sought to enforce the OAIC determination, the application could be bundled into the Federal Court class action which would ensure that any ultimate findings were consistent

In short, any Determination made from an investigation (whether complaint-based or Commissioner-initiated) is ‘appealable’ to the Federal Court, which has full power to review the facts from the start (‘de novo’, as they say).

Given that’s the case, there’s no point in stopping those investigations now as, if Medibank or the complainants don’t like the outcomes, they can go to the Federal Court for full review.  And if they do, it’s likely that all the cases will then be bundled together.

What happens now?

This decision may be appealed.  But in the meantime, the AIC and OAIC investigations continue.

It is now March 2024, nearly 1.5 years since the data breach.  It is unclear when the outcomes of either the AIC or OAIC investigation will be released but this proceeding has no doubt significantly delayed that process.

This is hard not only for those adversely affected by the breach but also for the regulated community that relies on the outcomes of investigations to provide guidance as to the regulator’s compliance expectations.

In contrast – in June 2023, APRA imposed a $250 million capital adequacy requirement on Medibank Private following its scrutiny of Medibank’s information security environment after the cyber security incident it faced in October 2022.

It is unfortunate that, to date, the OAIC has not provided a clearer indication of the controls it expects to be in place to protect personal data. This guidance may come from the Medibank cases, but it is likely to be many years before that guidance concludes.