The Office of the Australian Information Commissioner (OAIC) and the Australian Prudential Regulation Authority (APRA) have given updates on their responses to the recent cyber attack on Medibank.
The OAIC has announced that it has commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach.
The OAIC’s investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).
APRA, in its capacity as regulator of private health insurers, has announced that it has intensified its supervision of Medibank Private Limited in response to the recent cyber incident, which has significantly impacted Medibank customers and raised concerns about the strength of its operational risk controls.
The external review announced by Medibank on 16 November has been designed to ensure that it will meet APRA’s requirements. This review will examine the incident itself, control effectiveness and the response of Medibank.
In addition, APRA will intensify its supervision of all entities not meeting the Information Security Prudential Standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.
The post Medibank Private data breach update appeared first on Bright Law.