Share this article on:
Medibank is set to face a class action over the data breach that exposed the private health data of almost 10 million people, after the hacker announced the personal records would be leaked.
Personal information of 9.7 million past and present Medibank private customers have been compromised in the hacking incident.
According to Centennial Lawyers and Bannister Law Class Actions, which will be investigating the breach, “the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act”.
“Medibank has a duty to keep this kind of information confidential.
“The two firms will be investigating [whether] Medibank breached their privacy policy and the terms of their contract of the medical insurance which they provided to their customers.
“The lawyers will also assess whether damages should be paid to Medibank customers as a result of their breaches,” Bannister Law Class Actions stated in a statement.
The class action follows recent comments from someone claiming to be the hacker on a dark web forum threatening to release the classified information.
“Data will be publish in 24 hours.
“P.S. I recommend to sell Medibank stocks.”
It has not yet been confirmed whether the comment was made by the hacker; however, the dark web forum has been linked to ransomware gang REvil.
After the private health insurer refused to pay a ransom for stolen customer data, Medibank customers are now bracing themselves for the worst, leading the alleged hacker to proclaim the data would be published online within 24 hours.
Medibank’s ongoing investigations have revealed much more data was accessed than previously thought, including some health claims data and the names, addresses, dates of birth, phone numbers, and email addresses of some 9.7 million current and former customers.
Medibank also announced its stance on ransom demands, with chief executive David Koczkar asserting that “no ransom payment will be made to the criminal responsible for the data theft”.
“We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar said.
Medibank asserts its decision is consistent with the position of the Australian government, confirmed by Cyber Security Minister Clare O’Neil.
“Paying them only fuels the ransomware business model.
“Medibank’s decision is consistent with Australian government advice,” O’Neil confirmed.
“Cyber criminals cheat, lie and steal.
“They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals,” O’Neil added.
Medibank customers are being cautioned to be vigilant as the exposure of personal information could result in unwarranted contact with cyber criminals or personalised scams.
“Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly,” Medibank advised.
Medibank has promised continued support for affected customers whose data has been accessed or stolen, including providing advice on what they should do.
The private health insurer has also expanded its Cyber Response Support Program to include a cyber crime health and wellbeing phone line, a mental health outreach service for customers identified as being vulnerable, and additions to its Better Minds app for tailored preventative health advice and cyber crime resources.
[Related: Federal opposition urges Albanese to crack down on cyber security]