The fallout from one of Australia’s worst data breaches continues to unfold.
As we previously reported, in October 2022, Russian hackers stole approximately 9.7 million customers’ sensitive data from Medibank, Australia’s largest health insurer by market share. The hackers demanded a USD $9.7 million ransom and, when Medibank refused to pay, began publishing tranches of the data on the dark web.
On November 30, following our report, the hackers published further patient data they had exfiltrated, declaring the “case closed.” Media sources widely read the declaration as implying there were no further data to release, although Medibank could not rule out further disclosures.
Maybe the hackers were done inflicting damage, but Medibank’s troubles continued. On December 1, the Australian federal privacy watchdog commenced an investigation into Medibank’s data security practices. The watchdog observed that it could seek penalties in federal court of up to AUD $2.2 million (USD $1.5 million) per contravention of the Australian Privacy Principles.
Then, on December 8, Medibank announced that it was necessary to shut down its IT systems for a security upgrade over the weekend. During that process, patients would not be able to make claims.
There are important differences in the legal regulation of data security as between the United States and Australia. In the United States, class actions for data breaches are common, and have recently been funneled through a theory of securities fraud. In Australia, where there is no common law tort for the invasion of privacy, class action and individual lawsuits for data breaches are comparatively rarer, and regulators play a proportionately greater role. In the United States, there is no one regulator for privacy law. The Federal Trade Commission has often though unofficially assumed that role, but regulators in different industries have enacted data security regulations designed to protect consumer data, the New York State Department of Financial Services being one example. Also, individual states have adopted privacy laws, like the California Consumer Privacy Act, and all 50 states have breach notification laws, creating a patchwork of regulations and laws that need to be navigated in the case of a data security incident. In Australia, on the other hand, there is an Office of the Australian Information Commissioner, which enforces comprehensive federal legislation. More generally, the nuances of legal requirements such as notifications for data breaches differ between the United States and Australia, as they do between different American states.
But despite these differences in legal risk profiles between countries, a few of the most valuable tools for preventing or addressing an attack cut across borders: periodic updating of internal policies to address new cybersecurity threats; regular education of employees; robust back-ups of data and IT systems; and, above, all, intensely planning for a worst-case scenario.
