Understanding The OAIC Action Against Medibank: A Guide For Australian Organisations
This week, headlines focused on the potential for a $21 trillion penalty against Medibank for its 2022 data breach. While this most likely caught the attention of boards and business leaders in Australia, it’s far from the only takeaway from the OAIC’s civil penalty proceeding.
Background To The Breach & OAIC Penalty Proceedings
In case you missed it, the 2022 Medibank data breach involved the personal information of 9.7 million Australians, including sensitive medical information. Medibank did not pay the ransom requested by cyber crime group REvil and, as a result, the group released data on the dark web in a manner that essentially weaponised the health information. It included creating a ‘good’ and ‘naughty’ list, alongside publishing a list of individuals who had sought medical assistance to end a pregnancy.
Medibank has been widely criticised for its lax security practices given the sensitivity of the data it collects. The way that the criminals gained access to its systems was not sophisticated, and many have described the breach as ‘a rookie mistake’ on Medibank’s part.
So far, Australia has announced individual sanctions against a Russian national who is widely believed to have played a key role in the breach – Aleksandr Ermakov. Australia’s banking regulator, APRA, has also required Medibank to set aside $250 million for security remediation following the breach. Finally, there are representative claims and private class action lawsuits brought against Medibank by the individuals whose data was breached. It remains to be seen whether these succeed in the courts. Medibank tried to delay the OAIC investigation pending the outcome of those actions, but this was denied by the Federal Court. See our previous blog post for more background on that skirmish.
It’s likely that the OAIC action against Australian Clinical Labs (covered here) will be heard before the Medibank case goes to trial. The results of those proceedings will be of great interest in the Medibank case.
The OAIC Penalty Proceedings
After a significant delay at least partially caused by Medibank’s legal efforts to halt an investigation, the OAIC has brought civil penalty proceedings against Medibank for the data breach.
The OAIC alleges that Medibank did not take reasonable steps to protect the personal information it held. The proceedings contemplate Medibank’s size and considerable financial resources. The action also considers the nature and volume of the personal information Medibank held (sensitive health information).
Here’s what Medibank said in its press release:
“Medibank advises that the Australian Information Commissioner has today commenced civil penalty proceedings against Medibank in the Federal Court of Australia in connection with the 2022 cybercrime event.
The proceedings relate to the Commissioner’s own investigation into the 2022 cybercrime event. The Commissioner alleges that Medibank breached Australian Privacy Principle 11.1.
Medibank intends to defend the proceedings.”
Privacy Risks Boards Should Know
While we will need to wait and see how the OAIC’s civil penalty proceeding against Medibank shakes out, there are immediate takeaways for Australian organisations:
Understanding Civil Penalty Proceedings
The legal remedy that the OAIC is seeking against Medibank is not available for every data breach in Australia. It is rather extraordinary – and it’s also why we’re seeing such a huge potential penalty, which is uncommon for ‘typical’ privacy breaches in Australia.
Australia’s privacy laws only allow the Australian Information Commissioner (AIC) to apply to the Federal Court for a civil penalty order if a covered entity has allegedly engaged in serious or repeated interference with individual privacy. Penalties under this law range up to $2.5 million per breach. However, the maximum penalty in 2021-2022 when the Medibank breach took place was $2.2 million per breach. So, the potential (but unlikely) $21 trillion penalty for this breach is calculated based on 2.2 million multiplied by 9.7 million individuals whose data was stolen.
These potential penalties may surprise board members and business leaders. However, the OAIC is showing us that it is prepared to seek penalties for significant breaches. And, as a result, boards may want to reprioritise improving organisational cybersecurity and privacy hygiene.
It’s also important to know that it’s not only massive breaches that are attracting civil penalty proceedings. There is a similar action against Australian Clinical Laboratories for a breach that impacted 223,000 people. We covered that action in this post.
Your Security May Not Be Up To Scratch
The reality is that defence against data breaches in the current landscape is challenging. But, another reality is that many organisations are not even implementing the basics at this point – as is shown in the case here.
If you haven’t already, your organisation should reflect on the data it collects and consider the sensitivity of it. If you hold sensitive data, you will need to invest more into your cybersecurity for it to be deemed to have taken ‘reasonable steps’ to protect it.
For organisations that do not need to collect sensitive data, this case may serve as an incentive to stop and delete the existing data.
Organisations that collect sensitive information, and especially those that must store it for a long period, it’s time to put better protections in place.
You might consider starting with the Essential Eight Model outlined by the Australian Signals Directorate.
Increasing Regulator Activity
Privacy Commissioner Carly Kind said “This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
Australia’s privacy regulators still have significant restraints in terms of the penalties they can dole out for privacy breaches. But we have seen more activity from the OAIC over the past twelve months than in years prior – and, to be honest, more vigour from the team running it.
For instance, Commissioner Carly Kind recently commented on the urgent need for reform of the Privacy Act to lift the standards for consent, expand the powers of the OAIC, and introduce a ‘fair and reasonable’ test for data use that would prevent companies from “using consent as a shield for bad privacy practices”. This commentary was provided in response to her conclusion that TikTok had not breached Australian law, as written, through its intense surveillance via the TikTok pixel.
A Final Note: Representative Complaints
The OAIC announced on 3 June that it had accepted a representative complaint regarding the Medibank breach. Potential ramifications of the representative breach for Mediban include financial payouts to the ‘class members’ (Medibank, AHM, and international student customers affected by the breach). The sum awarded can take the person’s feelings or humiliation resulting from the breach, as well as any other financial loss or damage.
You can learn about our cyber security services or reach out for an obligation-free consult If you need assistance improving your organisation’s cyber security posture.