Fraud Management & Cybercrime , Geo Focus: Australia , Geo-Specific
Australian Law Firms Cooperate in Medibank LitigationRansomware Hacking Incident Could Prove Costly for the Private Health Insurer
After the breach comes the litigation: Three Australian class action law firms say they've teamed up against private health insurer Medibank on behalf of the up to 9.7 million individuals affected by the firm's customer data breach at the hands of ransomware hackers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Cybercriminals identified by Australian police as operating inside Russia released last year data belonging to policyholders in a series of leaks designed to maximize humiliation. The info dumps came in stages that included the names of individuals being treated for mental health conditions or who underwent abortions. The hackers in December dumped 6.4 gigabytes in zipped folders, apparently the entirety of their stolen data, and declared "case closed."
Medibank vowed not to negotiate, saying it did not trust the ransomware hackers to honor promises to delete data stolen during an October cybersecurity incident.
In November, Melbourne-based law firm Maurice Blackburn sent a complaint to the Office of the Australian Information Commissioner accusing the insurance giant of breaching Australian privacy statute by failing to protect customer data. It has now teamed with Sydney-based firms Bannister Law Class Actions and Centennial Lawyers to pursue the complaint, saying that affected individuals should receive compensation. An actual lawsuit is a possibility, the firms say, telling Australians that they "are still considering the potential for this data breach investigation to become a class action."
A Maurice Blackburn spokesman said approximately 100,000 Medibank customers have so far registered with the three firms.* Under the Privacy Act, the Office of the Australian Information Commissioner can award compensation to victims for financial and non-financial loss, "including for the injury to victims’ feelings and the humiliation suffered by them," the spokesperson said. "We think obtaining that kind of compensation is essential in this case, because the Medibank data breach has resulted in very sensitive private personal and health information being accessed and released on the web, which has caused significant distress and humiliation to victims."
Centennial Lawyers principal solicitor George Newhouse told Australian morning TV show "Sunshine" on Monday that 45,000 individuals have registered with the firms. Compensation could range between AU$500 and AU$20,000 per person, he said.
The Office of the Australian Information Commissioner announced in December an investigation into Medibank's cybersecurity practices.
Reached for comment, a Medibank spokesperson said the company is cooperating with the OAIC and pointed to its efforts to provide support to affected individuals.
*Update Jan. 18, 2022, 8:44 UTC: Adds comments from Maurice Blackburn.