MELBOURNE: When Emma, a lawyer, found out that details of her mental health problems had been breached in a massive cyberattack on Australia’s largest private health insurer, she feared her career could be jeopardised.
Emma was among nearly 10 million Australians affected by the Medibank hack, one of a series of high-profile cyberattacks that have accelerated government efforts to overhaul privacy laws and force companies to do more to protect their customers' data.
After demanding a ransom, the hackers – who police say were Russian cyber criminals – published more than 1,600 sensitive patient files on the dark web.
“It’s upsetting for me to know that data about my health could be out there on the Internet,” Emma, 41, told the Thomson Reuters Foundation, asking to be identified only by her first name.
“I was really quite distressed because it affects my ability to go back to work if they reveal information about my mental illness,” said Emma, who suffers from major depressive disorder and chronic post-traumatic stress disorder (PTSD), and has been off work sick since December 2021.
Along with data related to her past claims and diagnoses, the hackers took her name, date of birth, address, phone number and email address.
Data breaches, in which sensitive, protected or confidential data is copied, viewed, stolen or used by someone who is not authorised to do so, have been on the rise as more data is captured and stored by governments and corporations worldwide.
Australia’s government has pledged to “hunt down” the cyber criminals, announcing a new taskforce of about 100 officers from the federal police and the Australian Signals Directorate whose job is to “hack the hackers”.
Parliament this week also passed a bill to amend the country’s Privacy Act of 1988, increasing the penalties companies face for serious or repeated infringements of customers’ privacy.
Medibank, which refused to pay a ransom to the hackers, said it was continuously monitoring its network for any suspicious activity, and had added “detection and forensics capability” across its systems to prevent further incidents.
Data collection limits
The hack of Medibank data came just weeks after Optus, Australia’s second-largest telecoms company, disclosed a hack of personal data from up to 10 million accounts. Telstra, the nation's largest telecoms firm, also said it was hit by a “small data breach”.
While the amended privacy legislation is a “positive” move, it falls short of a “fundamental paradigm shift” that is needed to limit the amount of data collected, said David Lindsay, a professor at the University of Technology Sydney.
“Increasing penalties is obviously a stop-gap measure. It will not address the problems associated with a data privacy regime that is hopelessly out-of-date,” he said.
He called for “serious implementation of the data minimisation principle” to ensure personal data is only collected when it is directly relevant and necessary.
People should also have the right to have their personal information deleted, especially when they cease to be customers, Lindsay added.
Currently, there is no limit on how long companies in Australia can retain customer data. This has come under scrutiny in the wake of the recent breaches, with victims complaining that their data had been kept even though they had not been customers for years.
In Emma’s case, data belonging to her family members – including her stepfather, who took his own life several years ago – was also stolen in the hack.
“All that information is potentially held by the hackers ... and he hadn’t been a customer of Medibank for years. It’s just very distressing,” she said.
‘Vulnerable to abuse’
Cyberattacks against Australia by criminals and state-sponsored groups jumped during the last financial year, with one attack reported every seven minutes, according to a government report released earlier this month.
The Australian Cyber Security Centre received 76,000 cybercrime reports last financial year, up 13% from the previous period, according to its annual cyber threat report, which blamed most major incidents on inadequate software updates.
This is all the more reason to limit the collection of personal information and the duration for which it can be kept, said Niloufer Selvadurai, a professor of technology law at Macquarie University.
“If we can limit the collection of personal information, we can lessen the magnitude of the effects of a data breach, which is pretty well inevitable,” she said.
The Privacy Act allows companies to collect personal information when it is “reasonably necessary”, but Selvadurai said that definition was too broad, making it “vulnerable to abuse by data collectors”.
“(But) it’s good at least to see that these conversations are starting now,” she added.
Still, opposition lawmakers have criticised the government for passing the bill before a two-year review into the Privacy Act by the Attorney-General's office due by the end of the year, which will include recommendations for boosting data protection.
For Emma, the moves to protect privacy are too late.
The hack had “retraumatised” her, she said, and made her fear being stigmatised if her colleagues found out about her mental health struggles.
She is also worried that someone might attempt to blackmail her with her health claims data, and is sceptical that the planned reforms will do much to prevent future breaches.
“At the moment, it seems like it’s a bit of a free-for-all,” she said.
“The feeling is horrible, the feeling that somebody has that very private information about me and I’ve got no control over it.” – Thomson Reuters Foundation