Login
Medibank to implement ‘all recommendations’ from Deloitte external review into data breach
Over six months after one of the biggest data breaches in Australian history, Medibank has been provided with findings from an external incident review into the circumstances surrounding its data breach last year.
Lauren Croft
On 13 October 2022, Medibank Private Limited confirmed in an ASX release that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank, ahm, and international student customers.
Numerous legal claims, complaints and class actions have been launched against the health insurance provider since the breach — the most recent of which being on behalf of shareholders who acquired interests in the health insurance provider between 1 July 2019 and 19 October 2022.
That class action was brought by global plaintiff firm Quinn Emanuel Urquhart & Sullivan last month, which the firm said arose from the breach of “substantial volumes of data” from Medibank’s network, including the personal and health claims data of customers being accessed by one or more hackers.
This came after the filing of a class action against Medibank by fellow global law firm Baker McKenzie, in conjunction with litigation funder Omni Bridgeway, in February, following the launch of similar class action investigations in late 2022 by Maurice Blackburn in mid-November (which became an officially launched proceeding in December) and by Bannister Law and Centennial Lawyers in early November.
Earlier this year, those class actions were merged to continue to seek compensation for consumers. Maurice Blackburn also launched a representative complaint with the Office of the Australian Information Commissioner (OAIC), which has the power to order compensation.
In February this year, as part of its half-year 2023 financial results presentation, Medibank outlined the circumstances surrounding how its systems were accessed, what it had done in response, and its key focus areas going forward, including shutting down the attack path and strengthening its security environment.
After conducting an external investigation and incident review, Deloitte has provided Medibank with its findings from that review and recommendations moving forward, which Medibank confirmed in an announcement to the ASX this morning (28 April).
Deloitte made a number of recommendations to enhance the health insurer’s IT processes and systems, some of which have already been implemented. According to the statement, Medibank intends to “implement all recommendations not already undertaken, along with other enhancements previously planned”.
“Medibank will also continue to review its cyber security governance arrangements, recognising the increasing prevalence of cyber crime and the need to meet the ongoing expectations of our customers,” the ASX announcement stated.
Medibank chair Mike Wilkins said that since the data breach, the company has been striving to return to business as normal.
“This cyber crime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve.
“Medibank has completed a range of enhancements to meet this expectation, and the board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further,” he said.
“From the beginning of this cyber crime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”
Medibank also noted that the breach remains the subject of a criminal investigation and that the insurer would continue to work with government law enforcement and regulators moving forward, as well as “continue to share lessons from the cyber crime with other Australian businesses, where it can”.
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.
