I heard a joke that if you want your boyfriend or husband to prepare a surprise for you, you can keep saying the name of Gucci, Chanel, and other luxury brands to his phone, so your lover’s phone will keep pushing the content you want him to see. People always laugh at such jokes, not knowing that such personalised recommendations are based on their privacy has been monitored.
What is privacy?
The topic of “privacy” is familiar to the public, and different people have different definitions of privacy. Privacy is a multifaceted and controversial concept, and we have known it for a long time, but it is difficult to define ( Wacks. R, 1980). The concept of privacy varies from countries, regions, contexts.
Alexandra Rengel thinks it is The right to protection from interference by others, the right to confidentiality, the right to control personal information, and the right to protection of one’s integrity, dignity, and independence (Rengel, 2013).
Or for understanding more easily, privacy is “the right to be let alone,” which phrase derives from an influential piece by Samuel Warren and Justice Louis Brandeis published in 1890 in the Harvard Law Review (Warren & Brandeis, 1890, pp. 193–220).
Why is it hard to protect privacy in the digital age?
In the information age, privacy is a complex and challenging thing to achieve, such as the trade-off between user privacy and the desire to access free online services, the scope of commercial interests, and the government’s use of big data for personal profiling without the person’s permission (Flew, 2021) can make our desire to protect our privacy an illusion.
Pay pal’s privacy notice, for example, is more than 36,275 words and even longer than Hamlet’s poem. As ordinary consumers, few have the patience to read it all, and many just click their mouse and hand over the personal information that has a significant impact on them to the operators of digital platforms, not caring why their data is collected, how it is collected, and who has access to it.
But even after carefully reading the service terms, consumers will find that the terms of service documents assign a great deal of power to the operators to protect their business interests. These platform operators have absolute discretion to make and enforce rules as appropriate(Suzor, 2019).
In addition to these organisational platforms, the government and others can violate individuals’ privacy. For example, when respondents were asked where the threats to their privacy came from, data from Australian interviewers indicated that the majority believed their privacy was violated by corporate organisations (57%). In comparison, others feared government violations (47%), as well as violations from others (47%) (Goggin et al., 2017).
When harm has occurred that people begin to realize the Importance of Privacy
Faced with such a situation, many people stop caring about privacy and security, believing that individuals cannot protect their privacy. They retain enthusiasm for many new things on the Internet, click on random links, don’t care about privacy settings, and don’t care about privacy-related regulations and institutions until the danger of data breach falls on them, before they examine the Importance of privacy.
Security breaches, also known as data breaches, can include but are not limited to, the unauthorized transfer, viewing, stealing, and/or copying of personal data, sometimes accomplished through acts such as hacking, credit card fraud, or theft of personal data (Marianne Hayes, 2022). While many companies’ initial intentions are to support consumer privacy and keep the data collected secure, security violations and data misuse are rising, exposing consumers to privacy violations and potentially harmful events (Martin et al., 2017).
The Medibank data breach
The following article will systematically analyze the impact of data breaches on organizations and individuals in the context of the Medibank data breach so that readers can realize the Importance of privacy.
(1) What is a data breach?
The U.S. Department of Health and Human Services defines a data breach as the intentional or unintentional use or disclosure of confidential information. Data breaches can compromise privacy and security, exposing individuals to the risk of reputation loss and other damages (Alkinoon et al., 2021). Data breaches can generally be divided into two main categories: internal and external. Internal breaches include incidents that occur with the help of insiders. External data leaks, on the other hand, are events caused by external physical sources, which include hacking events (Seh et al., 2020).
(2) Why is healthcare data more vulnerable than other data
According to IBM’s data report for 2022, the healthcare industry has been the most costly for data breaches for 12 consecutive years (IBM, 2022). It is worth noting that such a healthcare data breach can significantly impact individuals or organizations afterward.
(Figure 1 from IBM data report for 2022)
Digital healthcare has made healthcare more accessible, but today’s healthcare industry is a prime target for external and internal attacks. Because the more personal, the better when it comes to the value of stolen data for a crime, nothing is more personal than PHI, that is, protected health information (Mennes, 2017). On the dark web, the price of a patient’s complete record file can reach hundreds of dollars, and monetary interest has become the main reason for hacking (Chernyshev et al., 2018).
And compared to other data, healthcare data is more sensitive. For example, individuals can take services such as losing credit cards when they find out they have been stolen, but healthcare data comes with a lifetime. Any data tampering can potentially cause fatal, irreversible patient damage (Seh et al., 2020).
(3) Medibank Data Breach Timeline
As one of the largest insurance companies in Australia, Medibank’s data breach, which began in October 2002, caused a tremendous shock, and with multiple media reports (especially the continuous coverage by ABC News in Australia), there was a greater awareness of the irreparable negative impact that data breaches can have on organisations and individuals.
- 10, 13, 2022, Medibank noticed some unusual activity on its internal network, and the affected part has been shut down.
- 10, 19, 2022 Hackers contact Medibank directly
- 11, 7, 2022, Medibank confirms that 9.7 million past or current customers’ data was compromised and says it refuses to pay ransom to the hackers
- 11, 9, 2022 Hackers release customer data named the “good list” and “naughty list” on the dark web.
- 11,10, 2022, a file of abortion customer data was released. (Powell, 2022)
（4）The impact of Medibank data breaches on the organisation
First, the company’s reputation that breached the data will drop significantly. For example, Makridis’ findings in 2021 showed that the company’s reputation would drop by 26-29% after each average data breach (Makridis, 2021). And when a data breach occurs, the news that spreads through the media can gradually erode the reputation of healthcare organisations (Chaudhri et al., 2021). According to Price waterhouseCoopers (PWC), an auditor and insurer dedicated to cybersecurity, 87% of original customers would leave in the event of a data breach (How Reputational Damage from a Data Breach Affects Consumer Perception, 2020).
In addition to this, data breaches can be exceptionally financially costly for companies. Sasha Romanosky of RAND Corporation showed that the cost of a data breach in recent years accounted for 0.4% of a company’s annual revenue (Meisner, 2017). However, it is essential to note that estimates of the total cost of data breaches vary widely across reports and analyses, mainly due to the use of different estimation methods and the lack of complete and reliable databases due to insufficient disclosure of cyber incidents.
The financial expense for each organisation following a data breach is mainly in the following areas:
1. The cost of informing the victims and protection the patients concerned
However, following the Medibank data breach, according to Medibank customers whose personal data was uploaded online, they did not receive any support or compensation from Medibank and were told to continue to pay their premiums or lose their insurance without waiting for the incident to be further addressed (“Medibank Customers Left to Endure Anxiety and – ProQuest,” 2022).
2. attorney’s fees and litigation costs
For example, in the aftermath of the incident, Charles Bannister, head of the class action lawsuit at Bannister Law Firm, who is the attorney for the victims’ class action lawsuit, said that he believes that Medibank’s data breach violated privacy laws, lacked relevant safeguards and betrayed the trust of its customers, and that tens of thousands of Medibank’s customers participated in the class action lawsuit. Medibank has also responded to this and hired a professional lawyer team (Meisner, 2017).
3. Cost of sanctions for non-compliance
After suffering data breaches at OPTUS and Medibank, the federal government believes financial penalties for companies that suffer severe or multiple privacy breaches will increase to at least $50 million (currently $2.2 million) (Belot, 2022). But Katharine Kemp, a data privacy expert at the University of New South Wales School of Law and Justice, says the increased penalties may have some deterrent effect, but she says the Privacy Act must also be amended to provide greater clarity on when companies must dispose of customer data, among other changes (Bogle, 2022)
In addition, there are the costs associated with the following cybersecurity enhancements, the economic impact of lost customers due to reputational damage, and even banks that view healthcare organisations as high-risk borrowers after a data breach and will raise their interest rates accordingly (Delottie, 2016).
（5）The impact of Medibank data breaches on the individuals
While organisations that suffer from data breaches can suffer significant financial and reputational damage, they usually fall out of the public eye and out of the news a few weeks or months after the attack. However, for consumers, the impact can last a lifetime. ABC News has conducted several interviews with the victims of the Medibank data breach. This paper classifies the impact of this data breach on the victims according to the different interviews as follows.
1. Financial Fraud
Because of the data breach at Medibank, the residents of Australia and a large number of overseas students were involved in the breach. Overseas student health cover (OSHC) is a health insurance product the Australian government requires for overseas students studying in Australia. Medibank, one of the major insurance companies in Australia, has become the choice of many international students. However, after the data breach, many of them are in a state of anxiety.
For example, Amber Xu, an international student from China, said she and her family were worried and needed to stay alert after the data breach . They might receive a call or something saying, ‘Your daughter is in trouble. I need some money,'” she said. This is even more likely to happen to international students without constant contact with their parents. Parents worried their children may fall prey to hackers, resulting in irreparable financial losses. (Yang & Terzon, 2022)
2. personal safety
Ms. Bhattacharya, chair of the UNSW Student Representative Council, said that for gay students seeking medical support, such a health data breach could be fatal to them. Other students seeking medication for mental illness or other conditions could be put in an even more dangerous position.
Although Medibank officials say that its clients can get advice on mental health by talking to experienced psychologists over the phone 24/7, such psychological comfort is often not enough for victims whose health protection has been directly affected (Orr, 2022).
3. Loss of privacy and damage to reputation.
After the Medibank data breach, hackers published several “good lists” and “naughty lists” and even released customer data files on abortions, including 303 patients. This includes infeasible pregnancies, miscarriages, and ectopic pregnancies (Orr, 2022). When this sensitive or embarrassing information is released, it can lead to social stigma, discrimination, or other negative consequences.
For example, what happened to Ms. Sarah’s family. Sarah, whose children had been covered by her Medibank family insurance since birth, was outraged and deeply concerned when she learned that hackers had access to their and a large amount of health data. Sarah suffers from a chronic intestinal disease, and her child suffers from a similar condition, and she was concerned that such a history could affect her child’s future(Bogle, 2022).
Incidents like the Medibank data breach show us that privacy breaches can have irreparable and tragic effects on organisations and individuals. While it is difficult to protect personal privacy in the digital age, it is still vital for each individual to have the right attitude towards privacy, and we should be cautious about suspicious links and unknown software, adjust privacy settings frequently, and be aware of data privacy rules , support relevant data privacy protection organisations. As for company organisations, I hope they can improve their cyber security performance, value customer data, and achieve that consumers have the right to expect companies to collect, use, and disclose personal data consistent with the context in which consumers provide that data (Nissenbaum, 2018).
Alkinoon, M., Choi, S. J., & Mohaisen, D. (2021). Measuring Healthcare Data Breaches. In Information Security Applications (pp. 265–277). https://doi.org/10.1007/978-3-030-89432-0_22
Belot, H. (2022, October 21). Optus and Medibank hacks prompt government to – ProQuest. Www.proquest.com. https://www.proquest.com/docview/2726951125?parentSessionId=m89akevN%2B3G6BGimOIG555L4kS8r5NlkEH3XiTLFy20%3D&pq-origsite=primo&accountid=14757
Bogle, A. (2022). Privacy fears for children caught up in Medibank – ProQuest. Www.proquest.com. https://www.proquest.com/docview/2731079584?parentSessionId=lIt22kMw%2FMbvWRG9x0VEpCGbQu7dhGYddInxy6D09hg%3D&pq-origsite=primo&accountid=14757
Chaudhri, V., Oomen, T., Pridmore, J., & Joon, A. (2021). “CARE” in social media: perceptions of reputation in the healthcare sector. Journal of Communication Management, 25(2), 125–141. https://doi.org/10.1108/jcom-06-2020-0059
Chernyshev, M., Zeadally, S., & Baig, Z. (2018). Healthcare Data Breaches: Implications for Digital Forensic Readiness. Journal of Medical Systems, 43(1). https://doi.org/10.1007/s10916-018-1123-2
Delottie. (2016). Beneath the surface of a cyberattack A deeper look at business impacts. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-of-a-cyber-attack.pdf
Flew, T. (2021). Issues of concern. In Regulating platform.
Goggin, G., Vromen, A., Weatherall, K. G., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017). Privacy, Profiling, Data Analytics. In Digital Rights in Australia. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3090774
How reputational damage from a data breach affects consumer perception. (2020, July 2). Imprivata. https://www.imprivata.com/blog/reputation-risks-how-cyberattacks-affect-consumer-perception
IBM. (2022). Cost of a Data Breach 2022. IBM; IBM. https://www.ibm.com/reports/data-breach
Makridis, C. A. (2021). Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018. Journal of Cybersecurity, 7(1). https://doi.org/10.1093/cybsec/tyab021
Marianne Hayes. (2022, October 28). What Is a Data Breach? – Experian. Www.experian.com. https://www.experian.com/blogs/ask-experian/what-is-a-data-breach/
Martin, K. D., Borah, A., & Palmatier, R. W. (2017). Data Privacy: Effects on Customer and Firm Performance. Journal of Marketing, 81(1), 36–58. https://doi.org/10.1509/jm.15.0497
Medibank customers left to endure anxiety and – ProQuest. (2022, November 18). ABC Premium News. https://www.proquest.com/docview/2738204135?parentSessionId=GT05X3DD66uCOyRrfiZFYFMcb1gkLcZZFxlFCCG7bXo%3D&pq-origsite=primo&accountid=14757
Meisner, M. (2017). Financial consequences of cyber attacks leading to data breaches in healthcare sector. In Copernican Journal of Finance & Accounting (pp. 63–73).
Mennes, F. (2017, May). Eresources provided by The University of Sydney Library. Login.ezproxy.library.sydney.edu.au. https://go-gale-com.ezproxy.library.sydney.edu.au/ps/i.do?p=ITOF&u=usyd&id=GALE
Nissenbaum. (2018). Respecting Context to Protect Privacy: Why Meaning Matters. Science and Engineering Ethics, 24(3). https://doi.org/10.1007/s11948-015-9674-9
Orr, A. (2022, November 22). Elaine’s data was stolen in the Medibank hack. She says “sorry” isn’t enough. SBS News. https://www.sbs.com.au/news/article/elaines-data-was-stolen-in-the-medibank-hack-she-says-sorry-isnt-enough/4c7ktafnx
Powell, O. (2022, November 10). A full timeline of the Medibank data leak. Cyber Security Hub. https://www.cshub.com/attacks/news/iotw-everything-we-know-about-the-medibank-data-leak
Rengel, A. (2013). The right to privacy in the digital age. Journal of International Commercial Law and Technology, 8(4), 285–296.
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Khan, R. A. (2020). Healthcare Data Breaches: Insights and Implications. Healthcare, 8(2), 133. NCBI. https://doi.org/10.3390/healthcare8020133
Suzor. (2019). Lawless: The Secret Rules That Govern Our Digital Lives. Cambridge University Press. https://doi.org/10.1017/9781108666428
Wacks, R. (1980). Privacy: A concept ripe for analysis (pp. 23–36). Oxford Journal of Legal Studies.
Yang, S., & Terzon, E. (2022, October 25). Customers in limbo as Medibank data breach shapes – ProQuest. Www.proquest.com. https://www.proquest.com/docview/2728491503?parentSessionId=4%2FeNL43e%2FXYpf7ai74Yt6qhFlgLQf%2FcoI8I2Nn0tiXg%3D&pq-origsite=primo&accountid=14757