By -

A class action has been announced against Medibank Private over the hacking incident that compromised the data of 9.7 million customers.

Two law firms, Bannister Law Class Actions and Centennial Lawyers, are working together to investigate the hacking incident. Customer information such as names, dates of birth, driver’s license numbers, addresses and some medical records have been accessed.

“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act,” Bannister Law and Centennial Law wrote in a joint statement.

“Medibank has a duty to keep this kind of information confidential.

“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and ahm have failed policyholders in these circumstances.”

The firms are investigating whether Medibank breached their privacy policy and the terms of their contract they provided to customers. They will also consider whether Medibank should pay damages to their current and former customers because of the breach.

A similar class action was brought against telco-giant Optus in September for their recent data breach. While both hacking incidents were of a similar scale, the Medibank data breach is potentially more serious as private health data was accessed.

Associate Professor Michael Duffy at Monash Business School said a Medibank class action may raise similar procedural issues to the current Optus class action.

“In terms of the liability argument, there may be a question of whether reasonable care was or was not exercised by Medibank, and whether appropriate defensive technology is being used,” said Duffy.

“As these hacks are becoming more common and formidable, there may be another question into the future of how reasonable it is for businesses to keep asking for sensitive personal data as a condition of doing business,” he said.

“Nevertheless, businesses requesting and keeping personal details that aren’t completely essential could become more legally problematic for them, if they are hacked.”

This week, the alleged hacker threatened to sell customer information if Medibank failed to pay ransom. A threat was posted on a website linked to the Russian ransomware group REvil. The post read: “Data will be publish (sic) in 24 hours. P.S. I recommend to sell medibank stocks”. Underneath the post, the hacker linked a satirical video about the Medibank data breach featuring Mark Humphries.

Medibank Private said they will not pay ransom to the criminal responsible for the data theft and are following the advice of cyber security experts.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank CEO David Koczkar.

Medibank CEO, David Koczkar Medibank CEO, David Koczkar

Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published


“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

“It is for these reasons we have decided we will not pay a ransom for this event.”

Professor Lyria Bennett Moses, a cybersecurity expert at the University of NSW, said it was a difficult situation to navigate.

“[When] people pay ransom…they are taking on legal risk in the sense that there is the possibility that the organisation can be accused of money laundering or funding terrorism…[and] essentially they are funding more of this kind of cybercrime as well,” said Moses.

“On the other hand, by not paying the ransom, they increase the risk that individuals whose data is caught up in this, who obviously have done nothing wrong, will be directly harmed.”

Monash University expert Dr Lennon Chang considered the Australian Cyber Security Centre’s third annual cyber threat report and the evolving nature of cybercrime in Australia.

“There is no big change in terms of cybercrime types compared to last year’s report. Money is still the main purpose for cyber criminals,” said Chang.

“The line between cybercrime and national security is becoming blurred. Cyberattack and cybercrime are now part of cyberwar. Cybercrime can become a national security issue, given the current landscape.”

The Australian Federal Police recently launched Operation Pallidus to investigate the data breach against Medibank Private.



Medibank breach ransom revealed and NSW agencies forced to report hacks

Into the Breach: Trust in institutions under fire in the face of data hacks