Medibank sued after 9.7m Aussies data stolen in Russian cyber attack

Health insurance giant Medibank is being sued by the information regulator after the personal information of 9.7 million Australians was stolen.

The Australian Information Commissioner announced on Wednesday that it had launched civil criminal proceedings over the October 2022 data breach.

Sensitive information, including names, dates of birth and Medicare numbers, was stolen during the cyberattack; much of it was leaked online.

In a statement, the Commissioner said Medicare did not take reasonable steps to protect information from misuse from March 2021 until the attack.

“The release of personal information on the dark web has exposed large numbers of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Acting Commissioner Elizabeth said Tydd.

“We believe that Medibank has failed to take reasonable steps to protect the personal information in its possession, given its size, resources, nature and volume of sensitive and personal information handled, and the risk of serious harm to an individual in the event of a breach. “

The civil proceedings follow an investigation launched by the OAIC into the attack, which affected both current and former members, as well as the AHM branch.

Under the Australian Privacy Principles, Medibank is required to take reasonable steps to protect information we hold about it, including from unauthorized access.

The OAIC can apply to the Federal Court for a sanctions order if it suspects that an entity is “engaging in serious or repeated interference with privacy”.

If found guilty, Medibank could face a civil penalty of up to $2.2 million for each violation, although such an order would only be issued by the court.

Medibank generated revenue of $7.1 billion and an annual profit of $560 million in the financial year ending June 2022, according to the OAIC.

In January, Foreign Minister Penny Wong announced sanctions against Russian Alexander Ermakov for his alleged role in the breach.

The sanctions were the first under cybersecurity legislation passed in 2021 and came after an investigation by both the AFP and ASD.

Leave a Comment

URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL