Case Study: Privacy Risk in the Healthcare Sector 

Health information is the most sensitive category of personal information recognised under Australian privacy law. It carries special protections under the Privacy Act 1988 (Cth), it sits at the intersection of multiple overlapping regulatory regimes, and it is the information that individuals most acutely feel the loss of control over when things go wrong. 

It is also, by a significant margin, the personal information most frequently exposed in Australian data breaches. Two recent cases define the landscape. 

Medibank Private: Australia’s Most Consequential Data Breach 

In October 2022, Medibank Private (Australia’s largest private health insurer with approximately 3.9 million customers) disclosed a cyber attack that exposed the personal and health information of virtually its entire customer base. 

The breach exposed names, dates of birth, addresses, Medicare numbers, phone numbers, and, most critically, the health claims data of affected customers. That health data included diagnostic codes, details of medical procedures, and information about mental health treatment, reproductive health services, drug and alcohol conditions, and other highly sensitive clinical matters. 

In November 2022, the attacker began publishing the stolen data on the dark web, targeting individuals with conditions they had not publicly disclosed. People were contacted directly by the attacker. Sensitive health information was used as leverage. 

How the Breach Occurred 

The attacker gained initial access through stolen credentials belonging to a third-party IT service provider, a vendor with privileged access to Medibank’s systems. Alerts generated by Medibank’s own security monitoring tools during the intrusion were not acted upon promptly. The attacker’s presence in the system went undetected for long enough to allow exfiltration. 

The Regulatory and Legal Response 

The OAIC launched a formal investigation into Medibank’s privacy practices. The OAIC’s process is still ongoing, and we are yet to see if a settlement will be reached or if the matter will be resolved in the Federal Court.  

Simultaneously, a class action was filed on behalf of affected individuals, one of the most significant privacy-related class actions in Australian history by scale of affected individuals and potential quantum. This class action is also ongoing. 

Medibank has publicly reported hundreds of millions of dollars in costs associated with the breach response, ongoing regulatory engagement, and litigation.  

What a Privacy Audit Would Have Changed 

Vendor access controls  

A vendor privacy review would have assessed whether third-party providers with privileged system access had adequate access controls, contractual privacy obligations, and active oversight processes. Under APP 11, Medibank was required to take reasonable steps to protect personal information in the hands of its service providers. Whether the steps taken by Medibank met this standard is a key question for the OAIC’s investigation and the class-action to determine. 

Alert response governance  

A privacy and cyber governance audit would have examined not just whether monitoring tools existed, but whether there were documented escalation pathways, ownership, and testing of the incident response process.  

Health data retention  

An audit of Medibank’s data landscape would have examined what health information was held, for how long, and whether the breadth of health claims data being retained in accessible systems was justified by current operational needs. Data destroyed before a breach cannot be exfiltrated. 

Australian Clinical Labs: When M&A Creates Privacy Liability 

In February 2022, Medlab Pathology, a Sydney-based pathology provider, suffered a ransomware attack that exposed the personal and health information of approximately 223,000 people. The breach included pathology test results, diagnostic information, and in some cases sensitive clinical details including HIV status and medication records. 

Australian Clinical Labs (ACL) had acquired Medlab Pathology only months before the breach occurred. The vulnerability exploited in the attack existed in systems ACL had inherited through that acquisition. 

In early 2025, the Federal Court imposed a penalty of $5.8 million on ACL. The findings included that ACL had not acted with sufficient urgency to contain the breach and notify affected individuals, a failure that compounded the original security failure. 

The Due Diligence Gap 

When you acquire a healthcare business, you acquire its health information governance history, its OAIC exposure, its undisclosed incidents, and its system vulnerabilities. Those are liabilities with financial and regulatory consequences that can, as ACL discovered, dwarf the acquisition cost itself. 

For healthcare M&A specifically, the due diligence checklist must include: what health information is held, what systems it sits in, what security assessments have been conducted, whether there have been prior incidents or OAIC contacts, and what the post-acquisition remediation roadmap needs to be. 

The Broader Healthcare Privacy Risk Picture 

Beyond Medibank and ACL, the healthcare sector across Australia faces structural privacy risks that recur consistently:

• Multiple overlapping regulatory regimes (Privacy Act, My Health Records Act, state health legislation) which requires dedicated resources to stay on top of 

• Health technology and third-party data flows not mapped or contractually protected 

• Consent that is not specific, out of date or misaligned with what is happening in practice 

• Workforce privacy risk, i.e. large workforces with broad access to sensitive health information 

• Higher-sensitivity sub-categories (mental health, reproductive health, HIV records) without additional controls 

What Healthcare Organisations Should Do Now 

Just like treating their patients, heathcare organisations cannot treat a privacy risk unless they know what the risk is. 

A structured privacy audit is your diagnosis tool. For a healthcare organisation, a privacy audit should cover:

• data mapping across all clinical and administrative systems  

• a review of collection notices and consent mechanisms  

• vendor and technology partner contract review  

• NDB scheme readiness, incident response plan development and testing, and  

• a culture and training assessment calibrated to clinical and administrative roles. 

Privacy impact assessments should be standard for every new clinical technology, digital health initiative, or data-sharing arrangement before it goes live. This includes new AI tools such as note takers. 

The organisations that will navigate the next phase of Australian healthcare privacy regulation most effectively are those that have treated this as a governance priority rather than a compliance exercise. 

Enigma Law is a privacy law firm based in Melbourne, advising healthcare organisations across Australia on privacy audits, regulatory compliance, health information governance, and incident response. Contact jon@enigmalaw.com.au