Private health insurer Medibank (ASX: MPL) has announced today it is being investigated by Australia’s privacy watchdog over a cyberattack that impacted almost 10 million former and current customers last year.
The Office of the Australian Information Commissioner (OAIC) has launched its probe into the hack following a representative complaint lodged by Maurice Blackburn five months ago.
In its complaint, the Melbourne-based law firm alleges the private health insurer failed to take steps to protect the privacy of its customers’ personal information and sensitive health information from interference, loss, unauthorised access and unauthorised disclosure.
The cyberattack affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff. Following the breach, the majority of stolen customer data was dumped on the dark web via six zipped files.
In an announcement made on the ASX today, Medibank confirmed it is being investigated by the OAIC regarding Maurice Blackburn's complaint in parallel to the Commissioner's own probe.
Maurice Blackburn national head of class actions Andrew Watson, who is leading the Medibank class action, welcomed the decision to investigate from the OAIC.
“It was always our view that the OAIC should investigate this breach and whether victims of the Medibank data breach should be eligible for compensation,” Watson said.
“It is well known that the disclosure of this information has caused millions of Australians significant distress. The complaint lodged with the OAIC offers an avenue of redress to those affected by this incident.
“Nothing will ever undo the damage that has been caused by this data breach, but the OAIC agreeing to investigate our complaint to seek compensation from Medibank, including for financial and non-financial loss, is a significant step that we hope will go some way to providing a measure of justice for those impacted.”
One week ago, thousands of current and former Medibank customers joined a class action lawsuit filed by Melbourne-based law firm Slater and Gordon (ASX: SGH) in the Federal Court over the data hack.
Members of the claim are seeking compensation for the time and money spent replacing identity documents, in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft.
US-based firm Quinn Emanuel Urquhart & Sullivanalso launched legal proceedings against the company, alleging it breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.
While Australian law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.
Following the breach, Australian Prudential Regulation Authority (APRA) intensified its supervision of the private health insurer, which refused to pay a USD$10 million ransom (AUD$14 million) to the hacker behind the cyberattack.
The OAIC announced two days ago it was teaming up with the New Zealand Office of the Privacy Commissioner (OPC) to scrutinise a Latitude (ASX: LFS) cyberattack that resulted in 14 million personal documents being stolen earlier this year.
Enjoyed this article?
Don't miss out on the knowledge and insights to be gained from our daily news and features.
Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.
Support independent journalism and stay informed with stories that matter to you.