Just weeks after filing a class action against telco giant Optus about its massive data breach late last year, national plaintiff firm Slater & Gordon has launched proceedings against Medibank Private Limited (ASX: MPL) for its own cyber attack in the back half of 2022.

On 13 October 2022, Medibank confirmed to the market that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank, ahm, and international student customers.

This prompted a flurry of class action investigations, firstly by Bannister Law Class Actions and Centennial Lawyers in early November and then by Maurice Blackburn in mid-November, which then also lodged a formal compensation action with the Office of the Australian Information Commissioner in early December.

The abovementioned firms joined forces on their class action proceedings in January. The following month, global law firm Baker McKenzie instigated its own proceedings, funded by Omni Bridgeway, and then at the end of March, fellow global firm Quinn Emanuel Urquhart & Sullivan served Medibank with proceedings.

Now, Slaters has issued its own proceedings in the Federal Court of Australia on behalf of former, existing and prospective customers whose highly sensitive personal information was compromised – and published on the internet – in the October 2022 data breach.

The claim also extends to customers of Medibank’s subsidiary Australian Health Management (ahm) as well as customers of Medibank’s travel insurance products, together with impacted children, authorised representatives and providers.

The news comes after Medibank announced in late April that Deloitte had concluded its external review of the data breach and that it intends to “implement all recommendations not already undertaken, along with other enhancements previously planned”.

VIEW ALL

The filing of the class action by Slaters also follows its delisting from the ASX earlier this week, with Australian private equity firm Allegro Funds having acquired the entirety of the national plaintiff firm.

Slater & Gordon’s claim against Medibank and ahm include that they failed to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure, failed to destroy or de-identify former customers’ personal information, and failed to comply with legal obligations in collecting, using, storing and disclosing customer information.

The proceedings will also allege that Medibank breached its contractual obligations to customers to whom it assured it had “adequate and appropriate security controls in place” to protect their information.

Group members will seek compensation for loss, including time and money spent replacing identity documents in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft, and also seeking damages for non-economic losses such as distress, frustration and disappointment.

The lead applicant, who wishes to remain anonymous, said that after seeing that ahm was a brand owned by Medibank when he joined, he assumed and trusted that meant everything was in check.

“I feel really exposed and unsettled knowing personal information of mine is out there, and there’s nothing I can do about it,” he posited.

Slaters class actions practice group leader Ben Hardwick described it as “one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed”.

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” he said.

“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see. And for millions more, information critical to their data and personal security was also compromised. 

“Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”

In a market announcement, Medibank said it intends to defend the proceedings. 

“Medibank continues to support its customers from the impact of the cyber crime through our previously announced Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures,” it noted.