Slater & Gordon has become the latest legal firm to seek compensation on behalf of the 9.7 million customers whose health records, claims data and other personal information were published on the dark web after Medibank refused to pay the hackers a $15m ransom.

The class action also alleges that Medibank breached its contractual obligations to customers to whom it assured it had “adequate and appropriate security controls in place” to protect their information.

Medibank is facing a $150m damage bill from the cyber attack’s fallout, including potential class action settlements, according to analysts. Medibank chief executive David Kozckar has apologised repeatedly for the attack and has been co-operating with cyber security and law enforcement agencies.

The health insurer says it will defend the proceedings.

Slater & Gordon – which says “thousands” of Medibank customers have registered for its class action – has revealed the personal toll the hack inflicted on policyholders in the weeks following the cyber assault.

The action’s lead applicant said in the weeks following the heist they became the target of a sophisticated scam.

“They knew my name and number so that was pretty intimidating,” the applicant said.

“I feel really exposed and unsettled knowing some personal information of mine is out there, and there’s nothing I can do about it. Someone could open an account or take out a line of credit in my name.”

The applicant also criticised communication they received from the health insurer, saying it was difficult to understand what personal information had been stolen.

“I needed to take steps on my own to try and find that out, and then take further steps to try and keep myself safe.”

Another customer – who also became a scam target – said Medibank refused to reimburse them travel costs after they were forced to change their passport in Canberra.

“I am from Peru and came to Australia as an international student. I trusted Medibank to protect my information and finding out about the breach has caused me significant distress,” the customer said.

“After the data breach I found out that my passport and visa details were compromised. The only way I can change my passport is in person at the Peruvian Embassy in Canberra. I live in Victoria so this would be a significant expense. I contacted Medibank but they refused to pay for my travel costs.

“I received confusing and conflicting notification letters. One said my passport details had not been compromised and another confirmed they had been. After the data breach, I noticed a scammer tried to access my AfterPay account. This has caused me a lot of stress and worry for my future.”

Medibank has implemented recommendations from a Deloitte report into the cyber attack that affected millions of its customers, but said it won’t release the report, citing security risks.

“We don’t think it is in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses,” a Medibank spokeswoman said last week.

Slater & Gordon is seeking compensation for losses the data breach caused, including time and money spent replacing identity documents and other measures to protect their privacy to prevent the increased likelihood of them falling victim to scams and identity theft. They are also seeking damages for non-economic losses such as “distress, frustration and disappointment”.

In early December the hackers dumped the entire cache of stolen Medibank data on the dark web, declaring the attack “case closed”, but the health insurer’s chief executive, David Koczkar, said at the time that its “work is not over” in cleaning up after the cyber heist.

The cyber criminals had previously drip-fed the release of customer health records throughout November to cause Medibank maximum harm in a series of folders with labels relating to pregnancy terminations, drug and alcohol abuse and various mental health conditions.

Medicare card numbers of at least 2.8 million Medibank customers were also released, and health claims data in respect to at least 480,000 customers, passport numbers and country of issue, verbal identification passwords, employers, employee ID numbers and visa details were among an unknown number of other customer information that was compromised.

The health insurer set up a hotline and offered other customer support, including “financial hardship measures”.

Slater and Gordon class actions practice group leader Ben Hardwick said the attack was “one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed.”

It was Australia’s biggest cyber assault until it was surpassed by an attack on non-bank lender Latitude Financial earlier this year which affected about 14 million customers.

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” Mr Hardwick said.

“Yet for hundreds of thousands of Medibank and ahm customers who were caught up in this data breach, their sensitive health information was exposed on the internet for all to see. And for millions more, information critical to their data and personal security was also compromised.

“Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”

Medibank said in a statement to the the ASX that it would defend the proceedings.

“Medibank continues to support its customers from the impact of the cybercrime through our previously announced Cyber Response Support Program which includes mental health and wellbeing support, identity protection and financial hardship measures,” Medibank said.

Law firms Maurice Blackburn, Bannister Law and Centennial Lawyers have been pursuing separate actions against Australia’s largest health insurer, but in January entered into a joint co-operation agreement against both Medibank and AHM in relation to the October breach.

Baker & McKenzie has also filed legal action against the health insurer.

More Coverage

Medibank won’t release report into cyber attack

David Swan

Inside details of Medibank’s $26m firewall fail

JARED LYNCH

Originally published as ‘Exposed and attacked’: Medibank customers seek revenge