Three Australian class action firms, purporting to represent as many as 9.7 million customers Monday announced a landmark Australian data breach class action plan against insurance provider Medibank after entering a joint cooperation agreement the previous week.
The firms, Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers, entered the agreement in relation to a data breach on October 13, 2022 which saw personal data, passport numbers, Medicare numbers and health claims data obtained through illegal means. The firms, who have already registered tens of thousands of Medibank customers, have been investigating compensation claims.
Maurice Blackburn’s Class Actions Principal Andrew Watson said the cooperation agreement was a significant development. He stated the data breach “caused millions of Australians significant distress” and that the agreement ensures the firms “are working together for the common aim of obtaining compensation for those affected as quickly as possible.” Watson’s counterpart from Bannister Law, Charles Bannister, said he hoped a class action would lead swiftly to compensation payments, and that the “data breach [was] a betrayal of Medibank Private’s customers” since Medibank “has a duty to keep this kind of information confidential.”
Maurice Blackburn made a representative complaint to the Office of the Australian Information Commissioner (OAIC) in November 2022, alleging Medibank breached the Privacy Act 1988 and failed to adequately protect the personal and health information of its current and former customers. The OAIC commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach on December 1, 2022. The OAIC stated: “If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.”
In November 2022, the Australian Federal Police announced they believed those behind the breach were from Russia, saying: “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” It is alleged the hackers have already released 6.4 gigabytes of data on the dark web.
University of Newcastle law student Jess Lemmich, contacted by Medibank to inform her data had been released into the dark web, stated she joined the class action because it was not only her data but also her eight-year-old son’s medical details and history that had been breached. She asked, “I’m grateful so far payment and financial details have not yet been accessed, but is it only a matter of time?”