The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach.
This decision follows the OAIC's preliminary inquiries commenced into the matter in October.
The OAIC's investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).
If the OAIC's investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
Given that the breach involves sensitive information, we remind any Medibank customers affected that they may seek assistance through Medibank's helpline.
Australian Information Commissioner and Privacy Commissioner Angelene Falk also reminded organisations covered by the Privacy Act 1988 to ensure they take reasonable steps to protect the personal information they hold.
"All organisations should review their personal information handling practices to ensure reasonable security safeguards are in place," she said.
In line with the OAIC's Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.
About Commissioner-initiated investigations
The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 under section 40(2) of the Privacy Act.
Preliminary inquiries will continue with Medibank regarding compliance with the Notifiable Data Breaches scheme.
Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.
Further assistance
The Australian Government has released a factsheet to provide information on what to do if your data has been compromised in the recent Medibank and AHM cyber incident.
