In early 2019, Medibank Private experienced an earlier, smaller breach via a third-party vendor that accessed customer data without authorisation. This breach predated the much larger 2022 ransomware attack. Medibank disclosed the 2019 breach under Australia’s Mandatory Data Breach (NDB) scheme in August 2019. Affected data included personal details and health insurance information for a subset of Medibank and ahm customers. Medibank notified the OAIC and affected customers. This earlier incident was significant because it demonstrated that Medibank had prior experience with supply chain security failures before the catastrophic 2022 ransomware attack — raising retrospective questions about whether remediation from the 2019 incident was sufficient. The OAIC’s investigation into the 2022 breach also considered Medibank’s broader security posture and history.