Medibank shareholders launch new class action over cyberattack

Private health insurer Medibank (ASX: MPL) has been hit with a third class action lawsuit related to a data security breach last year that led to the theft of personal data from 9.7 million customers.

The latest lawsuit has been filed by US-based firm Quinn Emanuel Urquhart & Sullivan in the Supreme Court of Victoria, alleging the insurer breached its disclosure obligations by not disclosing to the market the alleged deficiencies in its cyber security systems.  

The move comes more than a month after Baker McKenzie filed a class action lawsuit against Medibank in the Federal Court of Australia, which included allegations of breach of contract, contraventions of the Australian Consumer Law, and a breach of equitable obligations of confidence.

While Australian law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers had been pursuing separate legal actions against Medibank, the start of this year saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.

In an announcement to shareholders yesterday, Medibank said it intended to defend the latest class action.

“The statement of claim includes allegations that Medibank breached its continuous disclosure obligations under the Corporations Act 2001 and ASX Listing Rules by not disclosing to the market information relating to alleged deficiencies in its cyber security systems,” Medibank added.

As a result of the breach, the Australian Prudential Regulation Authority (APRA) intensified its supervision of Medibank which refused to pay a USD$10 million ransom (AUD$14 million) to the criminal behind the cyberattack.

The incident, announced to shareholders in mid-October last year, affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff. 

The leak also included customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers (without the expiry dates), as well as the passport numbers of international students. Widespread media reports indicated that the majority of stolen customer data had been dumped on the dark web via six zipped files.

Other law firms cracking down on cyber-related incidents include Gordon Legal and Hayden Stephens and Associates (HSA), which recently announced they were joining forces to investigate legal recourse for the millions of customers affected by a hack targeting Latitude Financial (ASX: LFS).

Just three days ago, the fintech revealed roughly 7.9 million Australian and New Zealand drivers licence numbers were stolenfrom its systems.

Other personal information stolen included around 53,000 passport numbers, less than 100 customer financial statements and 6.1 million records containing personal information including names, addresses, telephone numbers and dates of birth.

Yesterday saw property giant Meriton become the latest victim of a cyberattack, with 1,889 people potentially affected by the breach that is estimated by a forensic team to have extracted 35.6GB worth of data.