Law firm Slater and Gordon have issued proceedings against Medibank for its October 2022 data breach that affected 9.7 million current and former customers.
Announced by the health insurance company on 13 October 2022, Medibank initially claimed that it had detected suspicious behaviour on its network a day earlier and said at the time there was no evidence that sensitive data was accessed.
A week later, Medibank changed its tune and said 200 gigabytes of sensitive data was stolen, which included first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also included locations where customers received medical services and codes related to diagnoses and procedures.
Lodged in the Federal Court, the statement of claim alleges that Medibank and ahm (Australian Health Management) breached privacy and consumer laws and legislation on customer data retention and data protection for private insurers.
The allegations include that reasonable steps to protect customer data from unauthorised access or disclosure were not taken, former customer personal information was not destroyed or de-identified and legal obligations in collecting, using, storing and disclosing customer information were not complied with.
The class action also alleges that Medibank breached contracted obligations to customers, with the firm claiming it assured it had “adequate and appropriate security controls in place”.
“Health information is something most people keep incredibly private and want to be kept between them, their doctors or health providers, and their insurer,” said Slater and Gordon class actions practice group leader Ben Hardwick.
“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see. And for millions more, information critical to their data and personal security was also compromised.
“Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”