Medibank sued over massive data breach
Medibank is facing a massive class action lawsuit in the wake of its embarrassing data breach, which resulted in the private information of millions of Aussies being shared online by hackers.
Australian law firm Slater and Gordon launched court proceedings on Friday against the health care giant on behalf of former, existing, and prospective customers whose personal information was compromised during a ransomware attack in October.
The lawsuit claims Medibank and its subsidiary Australian Health Management allegedly failed to protect the personal information of more than nine million customers
It further alleges that Medibank and AHM breached privacy and consumer laws, as well as legislation governing customer data retention and data protection for private insurers operating in Australia.
Slater and Gordon class actions leader Ben Hardwick said Medibank should have had adequate measures in place to prevent the breach.
“Health information is something most people keep incredibly private,” Mr Hardwick said.
“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see. For millions more, information critical to their data and personal security was also compromised.”
Stolen customer information was progressively released online by hackers from November 9, 2022.
The sensitive information included diagnosis of HIV, drug and alcohol treatments, and treatments for mental health.
At least 9.7 million Medibank customers also had personal information such as names, dates of birth, addresses, phone numbers, and email addresses posted online. A further 2.8 million Medibank card numbers were also released.
Mr Hardwick said thousands of former, current, and prospective customers had already registered to join the class action.
The court action comes as ransomware group Medusa revealed of Friday it had attacked a cancer centre at Westmead Hospital.
The hackers gave NSW Health seven days to pay a ransom of $100,000, and threatened to release stolen data if the amount was not paid.