Medibank sued over data breach: 'I feel exposed'

Slater and Gordon launched a class action against Medibank in the Federal Court.

·3-min read
A composite image of a Medibank office and a person who's identity is hidden by shadows.
A class action has been launched against Medibank. (Source: Getty)

Aussies impacted by the Medibank data breach have issued proceedings against the company after their personal information was compromised and published online for anyone to see.

Law firm Slater and Gordon said the claim extended to customers of Medibank subsidiary Australian Health Management (ahm) as well as customers of Medibank’s travel insurance products.

Impacted children whose information was affected are also in the class, as are authorised representatives and providers.

The class action alleges Medibank and ahm:

  • Failed to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure

  • Failed to destroy or de-identify former customers’ personal information

  • Failed to comply with legal obligations in collecting, using, storing and disclosing customer information.

The class action also alleges Medibank breached its contractual obligations to customers because it had promised it had “adequate and appropriate security controls in place” to protect their information.

Those taking part in the class action are seeking compensation for losses the data breach caused, including time and money spent replacing identity documents.

They are also seeking damages for non-economic losses, such as distress, frustration and disappointment.

If you were affected by the Medibank hack you can still join the class action by registering your interest on the Slater and Gordon website.

What information was stolen?

Between November 9, 2022 and December 1, 2022, Medibank revealed that stolen customer information was progressively released on the internet, including information about customers who were diagnosed with HIV, had received treatment for drug and alcohol addiction and treatment for mental health issues.

At least 9.7 million Medibank customers had personal information - such as names, dates of birth, addresses, phone numbers and email addresses - posted online.

Medicare card numbers of at least 2.8 million Medibank customers were also released, along with health-claims data in respect to at least 480,000 customers. Passport numbers and country of issue, verbal-identification passwords, employers, employee ID numbers and visa details were among an unknown number of other customer information that was compromised.

Victims feel 'exposed'

The lead applicant, who did not want his name disclosed, said after seeing that ahm was a brand owned by Medibank when he joined, he assumed and trusted that meant everything was in check.

“I feel really exposed and unsettled knowing personal information of mine is out there, and there’s nothing I can do about it,” he said.

Slater and Gordon class actions practice group leader Ben Hardwick described it as one of the most serious data breaches in Australia’s history.

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” Hardwick said.

“Yet, for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see. And for millions more, information critical to their data and personal security was also compromised.

“Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”

Follow Yahoo Finance on Facebook, LinkedIn, Instagram and Twitter, and subscribe to our free daily newsletter.