1 December 2022

The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach.

This decision follows the OAIC’s preliminary inquiries commenced into the matter in October.

The OAIC’s investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).

If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Given that the breach involves sensitive information, we remind any Medibank customers affected that they may seek assistance through Medibank’s helpline.

Australian Information Commissioner and Privacy Commissioner Angelene Falk also reminded organisations covered by the Privacy Act 1988 to ensure they take reasonable steps to protect the personal information they hold.

“All organisations should review their personal information handling practices to ensure reasonable security safeguards are in place,” she said.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 under section 40(2) of the Privacy Act.

Preliminary inquiries will continue with Medibank regarding compliance with the Notifiable Data Breaches scheme.

Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

Further assistance

The Australian Government has released a factsheet to provide information on what to do if your data has been compromised in the recent Medibank and AHM cyber incident.

If you think you may be affected by the breach, contact Medibank Private on 13 23 31 or AHM on 13 42 46.

Medibank has an information page for enquiries and details of a customer support package on its newsroom page.

Customers can also seek advice or support around mental health or wellbeing by contacting 1800 644 325.

If you are concerned your identity has been compromised, contact your bank immediately and call IDCARE on 1800 595 160.

There are a number of resources that provide information on how individuals can take steps to mitigate the risk from data breaches. Information about responding to a data breach notification is available on our website. Resources are also available at cyber.gov.au.