On 5 June 2024, the Australian Information Commissioner commenced civil penalty proceedings in the Australian Federal Court against Medibank Private Limited (an Australian health insurance provider) in relation to its notorious data breach in October 2022.
To bring you back up to speed on the Medibank data breach, on 25 October 2022, Medibank notified the Office of the Australian Information Commissioner (OAIC) of a data breach concerning sensitive personal information of 9.7m Australians (representing approximately 37% of Australia’s total population). As a result of a cyber-attack, malicious actors had gained access to a vast library of customer data which included identity details, government identifiers and medical and insurance records. Over the course of a number of weeks, the malicious actors ‘leaked’ sensitive personal information of Medibank customers and other impacted individuals onto the dark-web in the course of pursuing cyber ransoms from the major insurance-provider. On 1 December 2022, the OAIC commenced an investigation into Medibank’s data security standards in connection with the data breach, focused on determining whether Medibank took “reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”. In addition to the OAIC’s investigation, a representative complaint was lodged with the OAIC (effectively a class-action complaint process) alleging Medibank’s actions amounted to an “interference with the privacy of individuals pursuant to section 13(1)(a) of the Privacy Act 1988 (Cth)” (the Privacy Act).
Coming back to the proceedings now, the OAIC has completed its investigations and determined that Medibank’s privacy practices did amount to an interference with the privacy of Australian individuals and has commenced civil penalty proceedings against the health insurer. Importantly, the OAIC’s proceedings are not a penalty for having suffered a data breach, or a penalty for failing to comply with Australian data breach notification obligations (Medibank did report the data breach in accordance with its obligations at law). Rather, the OAIC is alleging Medibank’s data security standards were insufficient – that Medibank failed to take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as from unauthorized access, modification or disclosure.
The OAIC will be seeking the imposition of substantial penalties in connection with these proceedings. In December 2022, just over a month after Medibank’s data breach, Australia amended the penalty provisions of the Privacy Act to include new penalties for serious or repeated breaches of privacy at the greater of A$50 million, three times the benefit obtained through the contravention or (if the benefit of the contravention cannot be obtained) 30% of the company’s domestic turnover during the period of the contravention or the past 12 months (whichever is greater). However, given the Medibank data breach occurred prior to this enforcement reform, the OAIC will be seeking civil penalties in the amount of A$2.2million per contravention (being the penalty rate applicable for breaches of section 13G of the Privacy Act in the period leading up to the data breach). At this stage, it is not clear how many separate contraventions the OAIC is alleging occurred, however commentators have pointed out that the number of individuals impacted by the data breach and the period of time in which the OAIC is alleging Medibank failed to maintain adequate security standards are each substantial.
The OAIC’s enforcement proceedings are a warning siren for entities subject to the Australian Privacy Act. Historically, Australian privacy law has not seen the imposition of substantial penalty proceedings, with the Australian regulator historically preferring alternative means of enforcing Australian privacy standards. These enforcement proceedings (along with Australia’s recent reform on privacy penalties) highlight a new approach in privacy compliance in Australia. Critically, these proceedings show that it is not sufficient for companies to “do the right thing” once an incident has occurred. Medibank acted on the data breach, notified customers and the OAIC and took all recommended steps to respond to a data breach. Despite this mitigating action, the OAIC has found that its privacy practices ahead of the incident were insufficient. Australian businesses, particularly those holding and processing large volumes of sensitive personal information must take steps now to reduce the likelihood of data breaches occurring and ensure they are taking all reasonable steps to protect Australian data.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.