$21T at stake as Medibank pursued over cyber breaches
6 June 2024
Australia’s privacy watchdog has announced it will take legal action against Medibank Private for allegedly failing to protect the medical details of 9.7 million Australians.
Russian cybercriminals hacked and then sold the deeply personal medical details of some Australians in 2022. The Office of the Australian Information Commissioner alleges Medibank “failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
Contraventions of section 13G of the Privacy Act for each of Medibank’s 9.7 million customers could attract a maximum civil penalty of up to $2,220,000 each – that’s $21 trillion in total. Medibank has said it will defend the proceedings.
The potential size of the claim shows the watchdog’s intention to warn other companies about their responsibility to protect citizens’ data they collect.
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” Privacy Commissioner Carly Kind said.
“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
If you’d rather prevent cybertheft than defend it in court, consider how a Managed File Transfer solution can help protect your data in transit, at rest, and in the cloud.
Our free resources are a good starting point, and our Business Manager Bradley Copson is always happy to have an obligation-free discussion and provide a free Proof of Concept.