Three Australian law firms have partnered up to launch a landmark data breach complaint against private health insurer Medibank (ASX: MPL), which could be forced to provide compensation payments to 9.7 million current and former customers impacted by a cyberattack in 2021.
Law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers – which had been pursuing separate actions against Medibank – have entered a joint cooperation agreement against Medibank and ahm in relation to the cyberattack.
The move comes one month after Maurice Blackburn lodged a representative complaint against Medibank with the Office of the Australian Information Commissioner (OAIC) – a regulator that has the power to order compensation for affected customers.
The firm alleged that Medibank failed in its duties by not taking steps to protect the privacy of its customers’ personal and sensitive health information from interference, loss, unauthorised access and unauthorised disclosure.
Bannister Law Class Actions Principal Charles Bannister said he hoped the new cooperation agreement would lead swiftly to compensation payments to the millions of Medibank customers whose data was stolen.
The firms confirmed they have been investigating compensation claims and have already registered tens of thousands of Medibank customers.
“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act. Medibank has a duty to keep this kind of information confidential,” Bannister said.
The breach, which was announced to shareholders in mid-October last year, affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff.
The leak also included customer names, addresses, dates of birth, phone numbers, email addresses and the Medicare numbers of ahm customers (without the expiry dates), as well as the passport numbers of international students.
As a result, the Australian Prudential Regulation Authority (APRA) intensified its supervision of the private health insurer, which refused to pay a USD$10 million ransom (AUD$14 million) to the hacker behind the cyberattack.
In December last year, widespread media reports indicated that the majority of stolen customer data was dumped on the dark web via six zipped files.
While Medibank confirmed the files were believed to contain hacked information, it noted much of the data was incomplete and hard to understand.
Maurice Blackburn’s head of class actions Andrew Watson said the cooperation agreement was a significant development.
“This data breach has caused millions of Australians significant distress,” Watson said.
“The cooperation agreement ensures that all three law firms are working together for the common aim of obtaining compensation for those affected as quickly as possible.”
Enjoyed this article?
Don't miss out on the knowledge and insights to be gained from our daily news and features.
Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.
Support independent journalism and stay informed with stories that matter to you.