Share this article on:
Australian private health insurance giant Medibank is set to face additional proceedings, with a global law firm bringing a shareholder action for alleged breach of continuous disclosure obligations pertaining to purported non-disclosures about deficiencies in the company’s cyber security defences.
This afternoon (Wednesday, 29 March), Medibank (ASX: MPL) announced to the market that it was served with class action proceedings in the Supreme Court of Victoria, months after one of the biggest data privacy breaches in Australia’s history.
The proceedings are on behalf of shareholders who acquired interests in the health insurance provider between 1 July 2019 and 19 October 2022 and are being brought by global plaintiff firm Quinn Emanuel Urquhart & Sullivan.
On the website set up by the firm for shareholders to register for the class action, Quinn Emanuel outlined that its claim against the health insurance provider arises from the breach of “substantial volumes of data” from Medibank’s network, including the personal and health claims data of customers being accessed by one or more hackers.
“The stolen data was later publicly released via the dark web,” the firm noted.
“Briefly and in broad terms”, the firm is alleging that, prior to the breach late last year, “Medibank was ‘aware’ of information concerning deficiencies in its cyber security systems, [and] by failing to disclose that information to the Australian Securities Exchange, Medibank breached the continuous disclosure obligations imposed on it by provisions of the Corporations Act”.
Moreover, Quinn Emanuel continued, “the failure to disclose the information caused the market price of Medibank shares to be inflated so that investors purchased those shares at a price which was greater than what they would otherwise have paid”.
Medibank noted that it intends to defend the proceedings.
The news follows the filing of a class action against Medibank by fellow global law firm Baker McKenzie, in conjunction with litigation funder Omni Bridgeway, in February.
It also follows the decision by Maurice Blackburn Lawyers, Bannister Law Class Actions, and Centennial Lawyers to join forces on an action to secure compensation for consumers in mid-January.
The joint proceedings followed the launching of an investigation by Maurice Blackburn in mid-November (which became an officially launched proceeding in December) and by Bannister Law and Centennial Lawyers in early November.
The cyber breach late last year involved highly personal information of millions of Medibank customers, including names, dates of birth, phone numbers, email addresses, some Medicare and passport numbers and in some cases, sensitive healthcare information, including codes associated with diagnosis and medical procedures.
“Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers, and around 20,000 international customers [were accessed]. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered,” the provider said at the time.
“Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed, and around 2,900 next of kin of these patients have had some contact details accessed.”