OAIC Medibank action a wakeup call for organisations to uplift privacy compliance

The Office of the Australian Information Commissioner (OAIC) has made data breaches a regulatory priority for 2023-2024, with an increased focus on regulatory action where there may be serious failures to take reasonable steps to protect personal information, inappropriate data retention practices or failures to comply with the notification procedure from the Notifiable Data Breaches Scheme.

This is perhaps no more evident than in the OAIC’s investigation of the high-profile 2022 Medibank data breach (Medibank Data Breach) which culminated in the OAIC filing civil penalty proceedings against Medibank Private Limited (Medibank) in the Federal Court on 5 June 2024.

This article considers the OAIC’s allegations against Medibank and sets out key action items for businesses looking to bolster protection against data breaches and their compliance with the Privacy Act 1988 (Cth) (Privacy Act).

Medibank Data Breach

The Medibank Data Breach is estimated to have affected approximately 9.7 million Medibank and ahm health insurance (Medibank’s subsidiary) customers in October 2022.

Although on 13 October 2022 Medibank was unclear as to whether a data breach had occurred, it later became aware that a third party had claimed it possessed a large amount of information from Medibank’s systems, and that the third party wished to negotiate a ransom. That information included customers’ personal data and sensitive health claims information.

Medibank elected to not pay the ransom citing extensive advice it received, and a concern that:

“…paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

The attackers subsequently published this information on the dark web.

The OAIC investigation

The OAIC initiated an investigation on 1 December 2022 into:

“whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.”

At the time, the OAIC noted that if the investigation found Medibank had contravened the Australian Privacy Principles (APPs), the OAIC would have the power to “seek civil penalties through the Federal Court of up to $2.2 million for each contravention.” Compliance with APP 11.1 was identified as a key issue early on in the investigation. APP 11.1 requires APP entities, such as Medibank, to take ‘such steps as are reasonable in the circumstances to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure’.[1]

Civil penalty proceedings (Federal Court of Australia File No. VID497/2024)

The OAIC’s recently announced civil penalty proceedings allege that:

“Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.”

Further, in the words of Commissioner Tydd, the OAIC alleges:

“Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”

This appears to be a claim in relation to section 13G of the Privacy Act, which imposes substantial penalties in relation to ‘serious and repeated interferences with privacy’ (i.e. contraventions of the APPs[2]). Given the timing of the breach, the Federal Court can impose a civil penalty of up to $2.22 million per individual contravention (per the applicable civil penalty at the time of the Medibank Data Breach).

Reforms

This is, however, a historical penalty.

Following the Medibank and Optus data breaches in 2022, the Federal Government imposed tougher maximum penalties for serious interferences with individuals’ privacy under the Privacy Act, capped at the greater of:[3]

• $50 million;
• three times the value of the benefit obtain from the interference with privacy; and
• 30% of the entity’s adjusted turnover during the period of the breach.

Further reforms are on the way, with the Federal Government contemplating implementation of several proposals to beef-up protections from data breaches in line with recommendations in the Attorney-General’s Department’s 2023 Privacy Act Review Report.

These include reforms to:

• broaden the scope of penalties for contravention of the Privacy Act by implementing new ‘mid-tier’ and ‘low-tier’ penalties for lesser breaches that do not meet the threshold of being ‘serious interference’ under section 13G of the Privacy Act;[4]
• allow individuals a direct right of action against entities that interfere with their privacy,[5] alongside a statutory tort for serious invasions of privacy;[6] and
• expand the operation of the existing notifiable data breaches scheme in Part IIIC of the Privacy Act to streamline reporting obligations, and require entities to ‘take reasonable steps to implement practices, procedures ad systems to enable [them] to respond to a data breach.’[7]

While not yet written into law, this signals a view within the Attorney-General’s department that elements of the Privacy Act are insufficient for protecting individuals’ privacy in a modern world, and for ensuring compliance by relevant entities.

What does this mean?

The OAIC’s action against Medibank over the Medibank Data Breach is a timely reminder that the OAIC will not only take data breaches very seriously, but also that it will not be afraid to bring enforcement action in cases of alleged non-compliance. Indeed, as Commissioner Carly Kind identified:[8]

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

This is a wakeup call to all businesses regardless of size – especially given the OAIC’s most recent notifiable data breaches report (July to December 2023) which identified a 19% increase in data breach notifications during July to December 2023, compared to January to June 2023. Of these, the majority of breaches (65%) affected 100 or fewer people – showing it is not just large-scale breaches at issue.

With further reforms around the corner, now is the time to check up on your privacy compliance to ensure that you’re not only protecting personal information your business holds, but also preparing for potential future compliance obligations. This can include:

• conducting an internal privacy audit to understand key privacy risks;
• preparing and regularly reviewing your data breach response plan, to ensure your business is ready to adequately respond to breaches;
• ensuring your business has appropriate privacy policies and operational procedures in place to manage privacy risks;
• implementing an AI governance framework if your organisation is using AI, to ensure your business complies with its obligations in relation to use and disclosure of personal information (including to third parties, like AI-tool providers);
• training staff in key regulatory frameworks to ensure everyone plays their part in complying with key obligations; and
• review policies and procedures every 6-12 months to ensure ongoing compliance.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

 Authored by: 

Antoine Pace, Partner
Dudley Kneller, Partner
Stephanie Rocher, Senior Associate
Chris Girardi, Lawyer
Lucy Hardyman, Lawyer
Wen Wong, Lawyer

[1] Privacy Act 1988 (Cth) sch 1, APP 11.1

[2] Privacy Act 1988 (Cth) s 13(1)

[3] See the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth), which amended section 13G of the Privacy Act 1988 (Cth).

[4] Proposal 25.1, Privacy Act Review Report

[5] Proposal 26.1, Privacy Act Review Report

[6] Proposal 27.1, Privacy Act Review Report

[7] Proposal 28, Privacy Act Review Report

[8] https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank