๐Ÿ”’breach.co.nz ยท the NZ & Australia breach register ๐Ÿ›ก๏ธ A Govern service
Register โ€บ ๐Ÿ‡ฆ๐Ÿ‡บ AU โ€บ Insurance

Medibank

๐Ÿ‡ฆ๐Ÿ‡บ Melbourne, VIC ยท Medibank Private Ltd ยท Record AU-2022-0243
โ— Confirmed
People affected
9,700,000 (approx)
Breach date
2022-10
Regulator
OAIC
Trust tier
A ยท Confirmed

Data exposed

Names, dates of birth, contact details, Medicare numbers Media-reported
Sensitive health claims data (subset of customers) Media-reported

Confidence: Confirmed = regulator/court ยท Company-confirmed = the organisation's own disclosure ยท Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In October 2022 Medibank disclosed a ransomware-driven breach exposing the personal information of around 9.7 million current and former customers, including sensitive health claims data for a subset [oaic-medibank]. In June 2024 the OAIC commenced civil penalty proceedings in the Federal Court, alleging Medibank failed to take reasonable steps to protect personal information [oaic-medibank]. Some of the stolen data was later published on the dark web.

Timeline

  • 2022-10 โ€” Medibank disclosed the breach; approx 9.7M people affected [oaic-medibank].
  • 2024-06 โ€” OAIC commenced civil penalty proceedings in the Federal Court [oaic-medibank].

Current status

Before the Federal Court; allegations not yet determined, no penalty ordered. [oaic-medibank]

Why it matters

The exposure of sensitive health information โ€” not just identity data โ€” made this a landmark case for the health sector. Figures and allegations are as stated by the regulator.