Medibank to fight class action lawsuit launched by global law firm Baker McKenzie

Baker McKenzie has become the fourth law firm to launch legal proceedings against private health insurer Medibank (ASX: MPL) over a data security breach last year that stole the personal data of 9.7 million Australian customers.

The international law firm filed a class action lawsuit against the insurer in the Federal Court of Australia, including allegations of breach of contract, contraventions of the Australian Consumer Law, and a breach of equitable obligations of confidence.

While Australian law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers had been pursuing separate actions against Medibank, last month saw them enter a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.

In December 2022, Maurice Blackburn also lodged a representative complaint against the insurer with the Office of the Australian Information Commissioner (OAIC) – a regulator that has the power to order compensation for affected customers.

Medibank said it would defend the latest legal proceedings initiated by Baker McKenzie.

“Medibank understands that these proceedings have been brought on behalf of current and former customers in relation to the cybercrime event Medibank has previously reported and are being brought by Baker McKenzie and funded by Omni Bridgeway,” Medibank said in a statement.

The cyberattack, which was announced to shareholders in mid-October last year, affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff. 

The breach also included customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers (without the expiry dates), as well as the passport numbers of international students.

As a result, the Australian Prudential Regulation Authority (APRA) intensified its supervision of the private health insurer, which refused to pay a USD$10 million ransom (AUD$14 million) to the hacker behind the cyberattack.

In November 2022, the Australian Federal Police (AFP) confirmed it was working with international agencies such as INTERPOL to investigate the breach believed to be conducted in Russia.

The news followed widespread media reports that indicated the majority of stolen customer data had been dumped on the dark web via six zipped files.

While the investigation is ongoing, Medibank noted there were no signs that financial or banking data was taken. The insurer also added that personal data which was stolen was not sufficient enough to enable identity and financial fraud.

Shares in MPL are up 0.17 per cent today at $3.04 each at 12:58pm.