A trio of leading law firms are merging their class-action lawsuits against health insurer Medibank to secure compensation for tens of thousands of customers after their private details were leaked in one of the biggest data breaches in Australian history.
Maurice Blackburn, Centennial Lawyers and Sydney-based Bannister Law announced on Monday 16 January that they have entered into a joint co-operation agreement against Medibank and subsidiary AHM concerning the attack in October 2022 when a ransomware group stole sensitive information and compromised 9.7 million people.
The firms are pursuing the Office of the Australian Information Commissioner (OAIC), which has the power to order compensation to those customers impacted by the breach.
The OAIC announced in December 2022 they had commenced an investigation, focused on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure. A week later, Maurice Blackburn lodged a formal complaint with the OAIC.
Bannister Law Class Actions and Centennial Lawyers were already working together on the class action.
If the investigation finds serious or repeated interferences with privacy in violation of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
After deciding to combine their legal actions, the firms say they have already registered tens of thousands of Medibank customers after investigating their compensation claims.
Andrew Watson, Maurice Blackburn’s head of class actions, said the co-operation agreement was a significant development.
“This data breach has caused millions of Australians significant distress. The co-operation agreement ensures that all three law firms are working together for the common aim of obtaining compensation for those affected as quickly as possible,” said Watson.
Bannister Law Class Actions Principal Charles Bannister said he hoped the agreement would lead to compensation payments to the millions of Medibank customers whose data was breached.
“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act. Medibank has a duty to keep this kind of information confidential,” Bannister said.
The hackers were able to access information on current and former customers including names, dates of birth, driver’s license numbers, and other sensitive information relating to drug addiction and mental health.
The criminal group behind the attack demanded a ransom of $US10 million (AUD$15.5 million) to Australia’s largest health insurer to not leak the data. However, Medibank told the group it would not pay the ransom. As a result, a trove of stolen records including Medicare numbers and billing codes that indicate abortion procedures were uploaded to the dark web.
Medibank said it is continuing to cooperate with the OAIC and its ongoing investigation.