Health insurance giant Medibank is facing a maximum fine theoretically in the trillions of dollars after the Australian Information Commissioner filed proceedings in the Federal Court over its 2022 cyber attack.
The legal action has been welcomed by cyber security experts and former customers.
Soon after the hack on the health insurer and its subsidiary ahm, some customer data was posted to the dark web.
The hackers intentionally targeted sensitive patient information, which included data about four people who had undergone pregnancy terminations, as well as many more names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for customers of Medibank budget brand ahm (but not expiry dates), and in some cases passport numbers for international student customers (but not expiry dates).
Medibank refused to pay the ransom demanded by the hackers, something the federal government said was consistent with official advice.
The commissioner now alleges Medibank seriously interfered with the privacy of 9.7 million Australians by "failing to take reasonable steps to protect their personal information".
"The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime," Acting Australian Information Commissioner Elizabeth Tydd said in a statement.
"We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
"We consider Medibank's conduct resulted in a serious interference with the privacy of a very large number of individuals."
Customers scarred
Former Medibank customer Zhan Huang is glad that Medibank is being sued and is hoping to receive an apology from the company.
"Medibank needs to pay for what happened to their customers as they didn't really take care for their users' data," he said.
"I want to know what really happened, and how Medibank stored or used our data."
Mr Huang, who was a customer of both Medibank and Optus, was angry that his personal data was stolen in two massive data breaches — and has signed up for at least three class actions against the insurance company.
Nowadays, he is a lot more cautious with who he provides his email address to.
Mr Huang has created a separate email address for subscriptions in case his data is shared without his consent, and now only provides his personal email in job applications, and to people that he personally knows.
Wake-up call
The Medibank data breach has resulted in a massive "loss of trust" across Australian society, according to Richard Buckland, a cyber security expert at the University of NSW.
"How can we be sure, despite their [companies'] protestations, that they're actually looking after our data?" Professor Buckland said.
"In fact, it looks like probably on average, they're not."
The potential for hefty fines to be applied to companies that fail to protect their customers' data is an important "wake up call" for Australian businesses, according to Professor Buckland.
"In the past, they were able to be lax with our data, and there were really no consequences.
"I think this action by the Information Commissioner is well overdue, I'm really glad it's happening, and I think it will change practice and attitudes of boards across the country."
Huge potential fines
The commissioner is subsequently going after the company for misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.
Each individual contravention comes with a maximum penalty of $2.22 million.
The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.
It will be up to the Federal Court whether any fines are applied.
Changes to the Piracy Act in late 2022 capped the maximum fine a company could receive at $50 million, but the date of the breach allows the commissioner to sue Medibank under the previous rules.
The hack on Medibank was one of the biggest to ever hit Australian consumers, and sits alongside other headline-making breaches at Optus and Latitude.
The group's net profit after tax for the first half of financial year 2023 was up 5.9 per cent to $233.3 million.
Its revenue rose 1.3 per cent to $3.65 billion.
Medibank confirmed it knew about the legal action brought by OAIC, and said it "intends to defend the proceedings", in a statement to the ASX.
Posted, updated
