Skip to main contentSkip to navigationSkip to navigation
The Medibank logo on a smartphone and in the background
Baker McKenzie has launched a class action lawsuit against Medibank in Australia’s federal court after customers’ details were exposed in a cyber attack. Photograph: Rafael Henrique/Sopa Images/Rex/Shutterstock
Baker McKenzie has launched a class action lawsuit against Medibank in Australia’s federal court after customers’ details were exposed in a cyber attack. Photograph: Rafael Henrique/Sopa Images/Rex/Shutterstock

Medibank class action launched after massive hack put private information of millions on dark web

This article is more than 1 year old

Law firm Baker McKenzie says company failed to protect privacy of customers in Australia and overseas

The law firm Baker McKenzie has launched a class action lawsuit against Medibank over the health insurer’s massive cyber attack last year that resulted in the personal details of up to 10 million customers being posted on the dark web.

In what became the largest breach of its kind to date in Australia, the hack on Medibank resulted in the personal details of 9.7 million current and former customers, including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers, being leaked.

Additionally, health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed included service provider names and codes associated with diagnosis and procedures.

Baker McKenzie’s federal court lawsuit centres on the company’s alleged failure to protect customer privacy.

“The Medibank Private data breach was among the worst in the nation’s corporate history, affecting the private information of millions of retail customers across Australia and overseas,” a Baker McKenzie spokesperson said.

“In launching this class action in the federal court, Baker McKenzie is to provide affected individuals with an avenue for redress and compensation for the loss and distress caused by Medibank Private’s alleged failings.”

The class action is funded on a “no win, no pay” basis.

On Thursday the federal court heard that Medibank may seek a stay on the case until the Office of the Australian Information Commissioner has finalised an investigation it began in December over whether Medibank breached Australian privacy law.

Guardian Australia sought comment from the OAIC about the expected timing of the investigation.

The commissioner, Angelene Falk, told Senate estimates this week in relation to other cases that the office aims for investigations to be completed within 12 months.

skip past newsletter promotion

Baker McKenzie has been given until the end of March to submit a revised statement of claim, with Medibank to file a defence by 1 May. The case is not expected to be back in court until 12 May.

Guardian Australia has sought comment from Medibank.

Lawyers acting for Baker McKenzie indicated they would be seeking to ensure Medibank had downloaded the data posted on the dark web as part of the evidence for the case.

A decision on whether to proceed with a separate class action from law firm Slater & Gordon is expected to be finalised in the next few months.

Most viewed

Most viewed