cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

3 law firms join forces on Medibank class action

After one of the most serious data breaches in Australian history, three law firms have teamed up to pursue compensation action on behalf of millions of affected Medibank customers.

user iconLauren Croft & David Hollingworth
Mon, 16 Jan 2023
3 law firms join forces on Medibank class action
expand image

On 13 October 2022, Medibank confirmed in an ASX release that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank, AHM and international student customers.

The breach involved the personal information of millions of Medibank customers, including names, dates of birth, phone numbers, email addresses, some Medicare and passport numbers and in some cases, sensitive healthcare information, including codes associated with diagnosis and medical procedures.

Maurice Blackburn first started investigating a claim against Medibank in November last year, a week after Bannister Law Class Actions and Centennial Lawyers launched a similar investigation.


Now, the three firms have joined forces to run a complaint against the private health insurance provider, entering into a joint cooperation agreement against Medibank and budget operator AHM in relation to the data breach.

The firms have already registered tens of thousands of Medibank customers — and under the cooperation agreement, will now pursue the Office of the Australian Information Commissioner (OAIC) complaint seeking compensation for those affected by the data breach.

Bannister Law Class Actions principal Charles Bannister said he hoped the cooperation agreement would lead swiftly to compensation payments to the millions of Medibank customers whose data was breached.

“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act,” he said.

“Medibank has a duty to keep this kind of information confidential.”

“The data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and AHM have failed policy holders,” he said.

Medibank did not give in to the hackers’ $15.6 million ransom demand, and in early December, the entire dataset was released on the dark web, totalling 200GB of user data.

“Happy Cyber Security Day!!! Added folder full. Case closed,” the dark web post from the hackers said.

The hackers are believed to be Russian based and connected to the REvil ransomware group, which formed in 2019 and only targets entities outside of its home country. In the past, REvil has targeted Apple, Donald Trump, and Lady Gaga among others. Russian authorities claimed the hacking outfit had been dismantled in January 2022.

On top of the class action investigations, the OAIC is already pursuing its own investigations, which — if Medibank is found negligent in the matter could lead to up to $2.2 million in fines for each violation, as well as having enforced changes made to the way Medibank handles sensitive data.

Following the breach, the federal government announced that it was increasing the scope of such fines to $50 million.

Current or former Medibank, AHM or international student customers are eligible for the compensation action.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.