What happened
In October 2022 Medibank disclosed a ransomware-driven breach exposing the personal information of around 9.7 million current and former customers, including sensitive health claims data for a subset [oaic-medibank]. In June 2024 the OAIC commenced civil penalty proceedings in the Federal Court, alleging Medibank failed to take reasonable steps to protect personal information [oaic-medibank]. Some of the stolen data was later published on the dark web.
Timeline
- 2022-10 โ Medibank disclosed the breach; approx 9.7M people affected [oaic-medibank].
- 2024-06 โ OAIC commenced civil penalty proceedings in the Federal Court [oaic-medibank].
Current status
Before the Federal Court; allegations not yet determined, no penalty ordered. [oaic-medibank]
Why it matters
The exposure of sensitive health information โ not just identity data โ made this a landmark case for the health sector. Figures and allegations are as stated by the regulator.