“I feel exposed and unsettled”: Medibank hit with yet another class action over cyberattack

“I feel exposed and unsettled”: Medibank hit with yet another class action over cyberattack

Thousands of current and former Medibank (ASX: MPL) customers have joined a class action lawsuit filed by Melbourne-based law firm Slater and Gordon (ASX: SGH) in the Federal Court over a data hack that stole the personal data and health information of nearly 10 million customers.

The claim alleges that Medibank and its subsidiary Australian Health Management (ahm) breached privacy and consumer laws, as well as legislation that governs consumer data retention and data protection for private insurers operating in Australia.

It also alleges that Medibank breached its contractual obligations to customers to whom it assured it had “adequate and appropriate security controls in place” to protect their information.

Members of the claim are seeking compensation for the time and money spent replacing identity documents, in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft.

They are also seeking damages for non-economic losses such as distress, frustration and disappointment.

Slater and Gordon class actions practice group leader Ben Hardwick described it as one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed.

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” Hardwick said.

“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see.

“And for millions more, information critical to their data and personal security was also compromised. Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”

The latest action against Medibank comes a month after US-based firm Quinn Emanuel Urquhart & Sullivan also launched legal proceedings over the hack, alleging the insurer breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.  

Earlier this year, international law firm Baker McKenzie filed a class action lawsuit against the insurer in the Federal Court of Australia, including allegations of breach of contract, contraventions of the Australian Consumer Law, and a breach of equitable obligations of confidence.

While Australian law firms Maurice Blackburn LawyersBannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.

The breach, which was announced to shareholders in mid-October last year, affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff

The hack included customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers (without the expiry dates), as well as the passport numbers of international students.

In late 2022, Medibank also announced that the stolen data was being progressively released on the internet, revealing information about customers who were diagnosed with HIV, had received treatment for drug and alcohol addiction and treatment for mental health issues. Widespread media reports indicated that the majority of stolen information had been dumped on the dark web via six zipped files.

Medibank has begun implementing recommendations from a Deloitte report into the cyberattack, but has withheld the findings from the public, citing security risks.

The lead applicant of the Slater and Gordon class action said after seeing ahm was a brand owned by Medibank when he joined, he assumed and trusted that meant everything was in check.

“I feel really exposed and unsettled knowing personal information of mine is out there, and there’s nothing I can do about it,” he said

The class action filing comes two weeks after Slater and Gordon launched proceedings against telco Optus over its 2022 data breachin which up to 10 million current and former customers’ personal information was compromised.

The hack is part of a growing trend of cyberattacks hitting Australian companies, including intellectual property law giant IPH Limited (ASX: IPH) and personal loans provider Latitude (ASX: LFS), the latter of which saw approximately 7.9 million Australian and New Zealand drivers licence numbers stolen from its systems one month ago.

Following the news, Gordon Legal and Hayden Stephens and Associates (HSA) announced they were investigating potential legal action against the fintech and would look into the circumstances surrounding the breach.

Get our daily business news

Sign up to our free email news updates.

Finexia’s Childcare Income Fund secures ‘very strong’ rating from Foresight Analytics & Ratings
Partner Content
Private credit specialist Finexia Financial Group (ASX: FNX) has secured a “very...

Related Stories

Medibank withholds Deloitte findings into cyberattack

Medibank withholds Deloitte findings into cyberattack

Private healthcare insurer Medibank (ASX: MPL) has revealed it will...

Medibank shareholders launch new class action over cyberattack

Medibank shareholders launch new class action over cyberattack

Private health insurer Medibank (ASX: MPL) has been hit with a thir...

Medibank to fight class action lawsuit launched by global law firm Baker McKenzie

Medibank to fight class action lawsuit launched by global law firm Baker McKenzie

Baker McKenzie has become the fourth law firm to launch legal proce...

Triple threat: Australian law firms join forces to litigate Medibank data breach

Triple threat: Australian law firms join forces to litigate Medibank data breach

Three Australian law firms have partnered up to launch a landmark d...