.png)
5 months ago
19
Health insurance giant Medibank is being sued by the information watchdog after the personal information of 9.7 million Australians was stolen.
The Australian Information Commissioner announced on Wednesday it had filed civil penalty proceedings over the October 2022 data breach.
Sensitive information, including names, dates of birth, and Medicare numbers, was stolen in the cyber attack, and much of it was leaked online.
In a statement, the Commissioner alleged Medicare had failed to take reasonable steps to protect the information from misuse from March 2021 until the attack.
'The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,' acting Commissioner Elizabeth Tydd said.
Medibank is being taken to court after the personal information of 9.7 million Australians was stolen in a cyber attack
Foreign Minister Penny Wong announced sanctions as a result of the attack in January. Picture: NCA NewsWire / Martin Ollman
'We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.'
The civil proceedings followed an investigation launched by the OAIC into the attack, which affected both current and former members, as well as subsidiary AHM.
Under Australian Privacy Principles, Medibank is required to take reasonable steps to protect the information it holds, including from unauthorised access.
The OAIC may apply to the Federal Court for a penalty order if an entity is alleged to have 'engaged in serious or repeated interferences with privacy'.
If found guilty, Medibank could face a civil penalty of up to $2.2 million for each contravention, though such an order is only made by the court.
The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.
It will be up to the Federal Court whether any fines are applied.
According to OAIC, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million in the financial year ending June 2022.
In January, Foreign Minister Penny Wong announced sanctions against Russian man Aleksandr Ermakov over his alleged role in the breach.
The sanctions were the first under cyber security legislation passed in 2021 and came after an investigation by both the AFP and ASD.
English (US)