The OAIC is taking Medibank Private Limited (Medibank) to court over its now-infamous major data breach in October 2022. The OAIC alleges that Medibank failed to take reasonable steps to protect the personal information of 9.7 million Australians from misuse and unauthorised access or disclosure, in breach of the Privacy Act 1988 (Act). If the Court agrees with the OAIC and finds that such failures amount to serious or repeated privacy interferences, in breach of section 13G of the Act, the Court can impose fines of up to $2,220,000 for each breach of section 13G.
Medibank is a large entity, but it would be a mistake for smaller health providers to think they could not be similarly targeted or that they are held to a different standard at law. This saga should put all health providers on notice that they hold valuable data and must stay vigilant and protect it, and if not, there can be serious consequences. Privacy Commissioner Carly Kind aptly commented:
"This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe."
Here, we examine some of the basics your health organisation should consider.
Big or small, you must comply with the Act
All Australian health service providers, regardless of size, must comply with the Australian Privacy Principles (APP). As they hold health and other sensitive information, they are more strictly regulated and should be especially vigilant against data breaches and other invasions of privacy.
A data breach can be a sophisticated cyber-attack or result from something as simple as a staff member leaving a device unattended, sharing their password or not using two-factor authentication protections.
Complying with APP 11.1
The Court will be considering whether Medibank acted in breach of APP 11.1. It is timely for you to consider how your health organisation would stand up against such scrutiny.
APP 11.1 requires your health organisation to take “reasonable steps” to protect the personal information it holds. What would be considered "reasonable steps" varies and depends on factors like:
The amount and sensitivity of the information.
The size and nature of the organisation.
The potential adverse consequences for individuals affected.
The organisation’s information handling practices.
The practicality of any steps may also be considered, though time and cost are not valid excuses for non-compliance.
For example, reasonable steps (depending on your health organisation) might include:
Enforcing strict password policies.
Using multi-factor authentication for key systems.
Educating staff to identify and report suspicious activity.
Investing in secure software systems and keeping them updated.
Implementing clear and comprehensive privacy policies and procedures.
This is a non-exhaustive list of examples only. If you are unsure whether your health organisation is meeting its APP 11.1 obligations, you should urgently seek advice and action any rectifications required.
Conclusion
The OAIC’s decision to commence proceedings against Medibank is a timely reminder to all Australian health provider businesses to audit their privacy practices and make sure they have adequate policies, procedures, systems and staff training to meet their broad obligations.
It is especially important that smaller health organisations not ignore the risks or assume that data breaches and the consequences that follow are exclusive to large corporations. In reality, smaller organisations often hold information that is similarly valuable to hackers, but are assumed to have weaker and less sophisticated systems to protect them, and in this way can be more attractive targets.
If you need help understanding your privacy obligations or handling a data breach, contact our experienced team at 02 9199 4563 or info@kinnylegal.com
Subscribe
Sign up with your email address to receive news and updates.