Medibank has confirmed a class action has been filed against it by law firm Slater and Gordon in the Federal Court, following a ransomware attack late last year.
The lawsuit alleges breaches of privacy and consumer laws, along with legislation covering customer data protection and data protection.
It makes three specific allegations against Medibank and its ahm subsidiary: that they failed to protect “or take reasonable steps to protect” customer information from unauthorised access of disclosure; failed to destroy or anonymise former customers’ personal information; and failed to comply with legal obligations covering the collection, use, storage and disclosure of customer information.
“The class action also alleges that Medibank breached its contractual obligations to customers to whom it assured it had ‘adequate and appropriate security controls in place’ to protect their Information”, the law firm said in a statement.
The October data breach hit 9.7 million policyholders, including 5.1 million Medibank customers, 2.8 million customers of Medibank-owned subsidiary ahm and 1.8 million international customers.
Slater and Gordon class actions practice group Leader Ben Hardwick described it as “one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed.”
In a statement filed with the Australian Securities Exchange (ASX), Medibank said it would defend the proceedings.
Last week, Medibank also announced that Deloitte had handed over its independent review into the incident.
The medical insurer has not disclosed the findings of the review, saying only that it “intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.”
