“I feel exposed and unsettled”: Medibank hit with yet another class action over cyberattack

The claim alleges that Medibank and its subsidiary Australian Health Management (ahm) breached privacy and consumer laws, as well as legislation that governs consumer data retention and data protection for private insurers operating in Australia.

It also alleges that Medibank breached its contractual obligations to customers to whom it assured it had “adequate and appropriate security controls in place” to protect their information.

Members of the claim are seeking compensation for the time and money spent replacing identity documents, in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft.

They are also seeking damages for non-economic losses such as distress, frustration and disappointment.

Slater and Gordon class actions practice group leader Ben Hardwick described it as one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed.

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” Hardwick said.

“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see.

“And for millions more, information critical to their data and personal security was also compromised. Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”

The latest action against Medibank comes a month after US-based firm Quinn Emanuel Urquhart & Sullivan also launched legal proceedings over the hack, alleging the insurer breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.  

Earlier this year, international law firm Baker McKenzie filed a class action lawsuit against the insurer in the Federal Court of Australia, including allegations of breach of contract, contraventions of the Australian Consumer Law, and a breach of equitable obligations of confidence.

While Australian law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.

The breach, which was announced to shareholders in mid-October last year, affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff. 

The hack included customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers (without the expiry dates), as well as the passport numbers of international students.

In late 2022, Medibank also announced that the stolen data was being progressively released on the internet, revealing information about customers who were diagnosed with HIV, had received treatment for drug and alcohol addiction and treatment for mental health issues. Widespread media reports indicated that the majority of stolen information had been dumped on the dark web via six zipped files.

Medibank has begun implementing recommendations from a Deloitte report into the cyberattack, but has withheld the findings from the public, citing security risks.

The lead applicant of the Slater and Gordon class action said after seeing ahm was a brand owned by Medibank when he joined, he assumed and trusted that meant everything was in check.

“I feel really exposed and unsettled knowing personal information of mine is out there, and there’s nothing I can do about it,” he said

The class action filing comes two weeks after Slater and Gordon launched proceedings against telco Optus over its 2022 data breachin which up to 10 million current and former customers’ personal information was compromised.

The hack is part of a growing trend of cyberattacks hitting Australian companies, including intellectual property law giant IPH Limited (ASX: IPH) and personal loans provider Latitude (ASX: LFS), the latter of which saw approximately 7.9 million Australian and New Zealand drivers licence numbers stolen from its systems one month ago.

Following the news, Gordon Legal and Hayden Stephens and Associates (HSA) announced they were investigating potential legal action against the fintech and would look into the circumstances surrounding the breach.