Published 13 September 2024
The Office of the Australian Information Commissioner (OAIC) has closed our inquiries into the MediSecure data breach.
As MediSecure entered administration on 3 June 2024, our inquiries focused on ensuring that MediSecure notified individuals impacted by this breach, so they could take preventative action to protect their personal information, while we worked with other agencies to ensure a whole-of-government approach to building awareness about the matter.
On 18 July 2024, MediSecure issued a public statement on the data breach, which included an outline of the types of personal information impacted. The Australian Government also updated its advice for individuals whose personal information may have been compromised.
At this stage, the OAIC will not pursue an investigation into the personal information handling practices of MediSecure as the possible remedies that we could obtain for the community will not be proportionate to the resources required for a comprehensive investigation. This should not be of comfort to any organisations that hold personal information and do not have appropriate data security policies and practices in place. It demonstrates that organisations need to make protecting individuals’ personal information a top priority, as a data breach may destroy an organisation’s reputation and cause enormous damage to the community.
The OAIC has welcomed the first tranche of privacy reforms with the introduction of the Privacy and Other Legislation Amendment Bill 2024 yesterday. The Bill would strengthen the OAIC’s enforcement toolkit, including through an enhanced civil penalty regime and infringement notice powers.
The Bill would also provide important clarification to the scope of existing security obligations by amending Australian Privacy Principle 11 to expressly require organisations to implement technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks. This amendment will assist in clarifying the OAIC's existing expectations around the scope of measures organisations should be taking into consideration when protecting personal information.