Medibank hit by second class-action lawsuit for cyber breach

Medibank has been served with yet another class-action lawsuit for disclosures on its cyber security systems which led to a serious data breach last October.

U.S.-based law firm Quinn Emanuel Urquhart & Sullivan said in the lawsuit that Medibank breached disclosure obligations by failing to reveal information relevant to alleged deficiencies in its cyber security systems, Reuters reported.

This is the second class-action lawsuit filed against Australia’s largest health insurer in relation to the cyber event last October 11, 2022. During the incident, a security alert for unusual activity spotted on Medibank’s network eventually led to the discovery that an unnamed hacker group had gained access to the data of 9.7 million current and former Medibank customers – including 500,000 health claims – and released the data on the dark web.

In a recent cybercrime update, Medibank outlined what happened as follows:

• The hacker accessed Medibank systems using stolen Medibank credentials being used by a third-party IT service provider.
• The hacker accessed Medibank’s network through a misconfigured firewall which did not require an additional digital security certificate.
• The hacker was able to obtain more usernames and passwords to gain access to Medibank’s systems.
• Medibank shut down the criminal’s attack path and could detect no further activity from the hacker since October 12.

Medibank also provided affected Medibank and ahm customers with a tailored support package which included round-the-clock mental health support and access to specialist identity protection advice.

Today we will announce a comprehensive customer support package, which will include: 24/7 mental health and wellbeing support, support for customers who are in uniquely vulnerable positions and access to specialist identity protection advice with IDCARE for all customers

— Medibank (@medibank) October 24, 2022

The AFP criminal investigation into the cybercrime is still ongoing.

Medibank told Reuters it intends to defend itself against the second class-action lawsuit filed against it.

Just last month, the law firm Baker & McKenzie slapped Medibank with its first class-action suit regarding the October 2022 cyber event. Baker & McKenzie alleged a breach of contract, violation of Australian consumer law, and breach of equitable obligations of confidence.

Medibank is one of many Australian companies attacked by cyber hackers and ransomware since September last year, Reuters reported. Digital payments firm Latitude Group and intellectual services provider IPH both reported data breaches earlier this month, making them some of the latest additions to the growing list of Aussie targets.

Any thoughts on the story? Let us know in the comments below.