Privacy commissioner to investigate Medibank

The Office of the Australian Information Commissioner (OAIC) has opened an investigation into the way Medibank handles its personal information after a catastrophic data breach.

Angelene Falk

The private health insurer announced on October 13 that it had ‘detected unusual activity’ on its network and said a week later that personal data appeared to have been stolen.

Medibank has since confirmed it believes almost 10 million current and former customers were affected by the cyber attack.

In an update on December 1 Medibank said six zipped files of stolen customer data had been released on the dark web, and it expected the release of files to continue.

Medibank is continuing to investigate, Medibank CEO David Koczar says.

‘Reasonable’ privacy steps

The OAIC investigation will focus on whether Medibank took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.

It will also consider whether Medibank had in place practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).

Following the investigation Australian Information Commissioner and Privacy Commissioner Angelene Falk will have the power to order Medibank to take steps to redress any loss or damage and ensure the incident isn’t repeated.

 If the investigation finds serious or repeated interferences with privacy she will be able to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Feds investigate

Investigators in the AFP’s Cyber Command are also working with public and private sector agencies to identify anyone responsible for buying or selling personal identification information.

The Medibank breach followed the theft of personal data held by Optus relating to more than two  million customers.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

One thought on “Privacy commissioner to investigate Medibank

  1. Can someone tell me what the definition of” Reasonable steps” is here
    Both Optus and Medibank either took no steps-some/many steps which they thought was suitable cyber protection-or they were totally oblivious to what was going on or potentially happen. I doubt it was the latter given the size of the organisations but in any event I would love to find about there risk management policies and strategy in this arena produced before the events

Leave a comment:

Your email address will not be published. All fields are required