Furious Medibank clients and ahm are preparing for a major legal battle as a potential class action against the health insurance giants looms.
Last month, Medibank, one of the nation’s largest private health insurance providers, announced it was hit by a “cyber incident.”
It has since emerged that nearly 10 million Australians have had their personal data breached after the credentials of a staff member with high-level access to Medibank’s systems were obtained and sold to hackers on a Russian cybercriminal forum. .
The group has been releasing highly sensitive customer data on a shadowy web blog linked to the Russian REVil ransomware group since last week, including information about people’s mental health and HIV status, drug and alcohol use, and previous abortions.
Now, Bannister Law Class Actions and Centennial Lawyers have joined forces to investigate the major data breach affecting approximately 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.
Bannister Law principal Charles Bannister said lawyers at news.com.au had already been “inundated” with potential plaintiffs and said countless clients had already been badly affected by the shocking breach.
He explained that many people had complained that their personal details were being used to access bank accounts, while others, including victims of domestic violence, were terrified after their addresses were compromised, but added that the company did not seemed to “realize the impact of this loss”.
“There are victims of domestic violence who are understandably distressed about the details of their address being disclosed. We are seeing widespread problems,” she said.
“Some individuals literally live in fear for their lives if their addresses are made public, others live in fear of public ridicule, loss of their job, and relationship breakdown if their sensitive medical information is made public.
“Others risk being blackmailed if their HIV status or other health information is made public. Some of Medibank’s clients and ahm will be policemen or security officers who are at great personal risk if their personal data and details of their immediate family members become public.
Bannister Law Class Actions revealed that it has suggested round-the-clock security for some plaintiffs who have a high public profile and whose home address is strictly confidential, and stressed that Medibank has a duty to protect customers.
“Medibank promises to store member information securely and to have a variety of security controls in place (including physical, technical and procedural safeguards) designed to protect personal information. They claim that their employees and contractors receive targeted privacy training on a regular basis,” the company said in a statement.
“They claim that they retain personal information only for as long as necessary to provide their members with products and services or to lawfully comply with their business and legal obligations and requirements. We have registrants whose policy was 10 years ago who were notified that their data was included in the breach.
“Above all, they promise that, where possible and appropriate, they will try to anonymize personal information, so that an individual identity is not easily ascertained from anonymous information or by triangulating anonymous information with other sources of information.”
It said Medibank’s “failures” had “betrayed their members” and “exposed them to real harm,” and that “many people are distressed and anxious and have every right to be angry.”
Bannister Law Class Actions and Centennial Lawyers are now preparing legal proceedings to initiate a class action and plan to file proceedings shortly.
The law firms are urging all affected current and former Medibank and ahm clients, including international clients, to do so register here.
A Medibank spokesperson said the company “will not speculate on potential litigation,” but added that while it understood that “several law firms are investigating a potential class action lawsuit in connection with this cybercrime,” the firm “had not been contacted by any law firm regarding a class action.”
“Scumbag” hackers whipped
Last week, Home Secretary Clare O’Neil criticized the “scumbag” hackers responsible for stealing sensitive data from Medibank and publishing information about women who had terminated their pregnancies for a variety of reasons.
Information posted online on the dark web forum called “abortion” included a spreadsheet with the names and personal details of 303 patients and policyholders along with billing codes related to terminations.
The group allegedly behind the hack also released data on more than 240 people in a file titled “boozy” last week, which included sensitive information about people’s mental health and alcohol problems.
“As a parliament and as a government, we stand with you,” O’Neil told the victims of the breach in Parliament.
“You have the right to keep your health information private, and what happened here is morally reprehensible and it’s criminal.”
On Friday, the Australian Federal Police announced it had identified cybercriminals in Russia as the perpetrators of the Medibank hack, with AFP Commissioner Reece Kershaw urging Moscow to cooperate with the investigation.
“It is important to note that Russia benefits from sharing the intelligence and data shared through Interpol and with that comes accountability and accountability,” Kershaw told reporters.
However, Medibank chief executive David Koczkar warned he expected the group to “continue to release stolen customer data every day”.
“The relentless nature of this tactic used by the criminal is designed to cause distress and harm,” he said in a statement Friday morning.
“These are real people behind this data and misuse of their data is regrettable and could discourage them from seeking medical treatment.
“It is obvious that the criminal is enjoying the notoriety. Our sole focus is the health, well-being and care of our customers.”