AMA VICDOC Spring 2023 - Magazine - Page 71
T
he Medibank Private data breach in
October 2022 affected the personal
information of 9.7 million Australians,
including a wide range of sensitive health
information. Your practice may not have
quite that many patients, but the incident
still serves to highlight the importance
of cybersecurity for any business which
holds large volumes of sensitive health
information. The legal impact of the breach,
however, is still to come, as the health
insurer faces class actions and regulatory
proceedings that could change the legal
landscape for data breach disputes.
A data breach can cause harm to affected
individuals in many ways. The publication of
sensitive health information (for example,
that an individual had an abortion, is
suffering a sexually transmitted disease,
or has a mental illness) can cause distress,
psychological harm and reputational
damage. The misuse of an individual’s
identity documents can cause financial
loss. In some cases, the disclosure of an
individual’s address can put them at risk
of physical harm.
If an individual who suffers harm as
a result of a data breach decides to
seek compensation, they currently
have two options.
Firstly, they can lodge a complaint with
the Office of the Australian Information
Commissioner (OAIC). If a class of people
are affected, a representative complaint
can be made on behalf of that class. The
OAIC will investigate the complaint, and if
it cannot be resolved by conciliation, has
the power to make a determination, which
may include an order for compensation.
Secondly, they can commence legal
proceedings. If a class of people are affected,
a class action can be commenced. Currently,
there is no specific cause of action for a data
breach, so the plaintiff’s main argument will
usually be that the business was negligent
in failing to adequately protect the personal
information they held. The Commonwealth
Government is proposing to introduce a
specific cause of action for breaches of
the Privacy Act later this year.
Until now, representative complaints and
class actions have been exceedingly rare in
Australia. In the 23 years since the Privacy
Act was extended to apply to the private
sector, only five representative complaints
have been made to the OAIC, and there has
never been a class action in relation to a
data breach.
However, this may be about to change,
thanks to the Medibank Private and Optus
data breaches. At the time of writing,
Medibank Private is facing two separate
class actions from consumers, a class action
from its shareholders, and a representative
complaint to the OAIC. Optus is facing a
consumer class action and a representative
complaint to the OAIC.
The class actions, in particular, will be
watched closely by lawyers. If they proceed
to trial, the parties will argue about a
variety of issues that have not previously
been considered by an Australian court.
Does a business have a duty of care to its
customers and employees to protect the
personal information it holds, and what is
the standard they must meet to satisfy that
duty? How can an individual prove that
the harm they suffered was a result of this
particular data breach? Should individuals
be able to claim damages for psychological
or emotional harm suffered as a result of a
data breach — and if so, is general distress
sufficient, or must a specific mental injury
be diagnosed? The court’s decision on
these issues will help establish whether data
breach class actions are worth conducting
in Australia, and in what circumstances.
If the plaintiffs in these class actions are
successful, class actions may become
a regular response to large-scale data
breaches — which will mean that healthcare
providers need to take cybersecurity even
more seriously, particularly when handling
sensitive health information.
VI CD O C SPRI N G 202 3
73
