The breach involved highly personal information of millions of Medibank customers, including names, dates of birth, phone numbers, email addresses, some Medicare and passport numbers and in some cases, sensitive healthcare information, including codes associated with diagnosis and medical procedures.

A ransomware group has since been posting the stolen data online in an attempt to extort the company. In response to Medibank not meeting its ransom demand, hackers have started to release the remaining customer data on the dark web.

Maurice Blackburn first launched an investigation into action on 13 November, following the one announced the week before by Bannister Law Class Actions and Centennial Lawyers.

At the time, the firm was also in the process of considering a class action against Optus following its own data breach.

Now, Maurice Blackburn has lodged a formal complaint with the Office of the Australian Information Commissioner (OAIC), which has the power to order Medibank to pay compensation to affected customers, in what the firm said was an “important test of Australian privacy laws”.

Under the Privacy Act 1988 (Cth), corporations that do not take reasonable steps to protect the personal information of clients face penalties, including fines, and consumers may also be compensated for privacy breaches. 

The representative complaint alleges Medibank failed in its duties by failing to take steps to protect the privacy of its customers’ personal information and sensitive health information from interference, loss, unauthorised access and unauthorised disclosure.

VIEW ALL

Maurice Blackburn principal lawyer Andrew Watson said the OAIC has power to order compensation to be paid to affected customers. 

“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress. The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident,” he said.

“We cannot undo the damage that has been caused in this data breach, but we can ask the commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.” 

The launch of this claim comes after Medibank made a statement to the ASX in response to an announcement from the Australian Prudential Regulation Authority (APRA), which stated the APRA was still considering whether “further regulatory action” was needed following the breach.

In the statement, Medibank chief executive David Koczkar said that the organisation has “been in regular consultation with APRA” since the breach and that he believed it was important to have an external review regarding the matter.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation,” he stated.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future. Our absolute focus is to continue to support and protect our customers through this time.”

Update: In a separate announcement to the ASX, Medibank noted that they "were not aware" that a complaint had been lodged by Maurice Blackburn, and despite receiving a letter from Maurice Blackburn stating their intent to file a complaint, Medibank has yet to be notified of such actions.