The Medibank Private data breach in October 2022 affected the personal information of 9.7 million Australians, including a wide range of sensitive health information. Your practice may not have quite that many patients, but the incident still serves to highlight the importance of cybersecurity for any business which holds large volumes of sensitive health information. The legal impact of the breach, however, is still to come, as the health insurer faces class actions and regulatory proceedings that could change the legal landscape for data breach disputes.
A data breach can cause harm to affected individuals in many ways. The publication of sensitive health information (for example, that an individual had an abortion, is suffering a sexually transmitted disease, or has a mental illness) can cause distress, psychological harm and reputational damage. The misuse of an individual's identity documents can cause financial loss. In some cases, the disclosure of an individual's address can put them at risk of physical harm.
If an individual who suffers harm as a result of a data breach decides to seek compensation, they currently have two options.
Firstly, they can lodge a complaint with the Office of the Australian Information Commissioner (OAIC). If a class of people are affected, a representative complaint can be made on behalf of that class. The OAIC will investigate the complaint and, if it cannot be resolved by conciliation, has the power to make a determination, which may include an order for compensation.
Secondly, they can commence legal proceedings. If a class of people are affected, a class action can be commenced. Currently, there is no specific cause of action for a data breach, so the plaintiff's main argument will usually be that the business was negligent in failing to adequately protect the personal information they held. The Commonwealth Government is proposing to introduce a specific cause of action for breaches of the Privacy Act later this year.
Until now, representative complaints and class actions have been exceedingly rare in Australia. In the 23 years since the Privacy Act was extended to apply to the private sector, only five representative complaints have been made to the OAIC, and there has never been a class action in relation to a data breach.
However, this may be about to change, thanks to the Medibank Private and Optus data breaches. At the time of writing, Medibank Private is facing two separate class actions from consumers, a class action from its shareholders, and a representative complaint to the OAIC. Optus is facing a consumer class action and a representative complaint to the OAIC.
The class actions, in particular, will be watched closely by lawyers. If they proceed to trial, the parties will argue about a variety of issues that have not previously been considered by an Australian court. Does a business have a duty of care to its customers and employees to protect the personal information it holds, and what is the standard they must meet to satisfy that duty? How can an individual prove that the harm they suffered was a result of this particular data breach? Should individuals be able to claim damages for psychological or emotional harm suffered as a result of a data breach – and if so, is general distress sufficient, or must a specific mental injury be diagnosed? The court's decision on these issues will help establish whether data breach class actions are worth conducting in Australia, and in what circumstances. If the plaintiffs in these class actions are successful, class actions may become a regular response to large-scale data breaches – which will mean that healthcare providers need to take cybersecurity even more seriously, particularly when handling sensitive health information.