Medibank faces third class action over cyber breach

Claim extends to customers of company's other brands

Medibank faces third class action over cyber breach

Insurance News

By Roxanne Libatique

Major private health insurer Medibank has been hit by its third class action over the October 2022 data breach that made the headlines.

In a statement, class-action law firm Slater and Gordon confirmed that it already issued proceedings against Medibank on behalf of former, existing, and prospective customers whose highly sensitive personal information was obtained by cyber attackers and posted on the internet.

The claim extends to customers of Medibank's travel insurance products and subsidiary Australian Health Management (ahm), noting Medibank's announcement early this year that the data breach extended to one of its brands. The class action also extends to children whose information was affected, as are authorised representatives and providers.

Statement of claim

Slater and Gordon alleged that Medibank and ahm breached privacy and consumer laws and litigation that governs customer data retention and data protection for private insurers in Australia.

The law firm claimed that both companies:

  • failed to protect or take reasonable steps to protect their customers' personal information from unauthorised access or disclosure;
  • failed to destroy or de-identify former customers' personal information; and
  • failed to comply with legal obligations in collecting, using, storing, and disclosing customer information.

The class action further claimed that Medibank breached its contractual obligations to customers to whom it assured it had “adequate and appropriate security controls in place” to protect their personal information.

Medibank responds to class action

In a statement, Medibank acknowledged the consumer class action against the company filed by Slater and Gordon in the Federal Court of Australia on May 04, 2023.

“Medibank understands that these proceedings have been brought on behalf of current, former, and prospective customers, authorised representatives of customers, and providers of healthcare services in relation to the cybercrime event,” it said. “The statement of claim includes allegations of breach of contract, negligence, and contraventions of the Australian Consumer Law.”

The insurer confirmed that it will defend the proceedings while continuing to support its customers from the impact of the breach through its previously announced Cyber Response Support Program.

Litigation funder Omni Bridgeway and international law firm Baker & McKenzie brought the first class-action lawsuit against Medibank. US-based law firm Quinn Emmanuel Urquhart & Sullivan also filed for a consumer class-action lawsuit, followed by Slater and Gordon.

Medibank recently released the results of the cyber incident review conducted by Deloitte. It confirmed that it already implemented some of the review recommendations and will continue to review its cyber security governance solutions.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!