Last month, Medibank – one of the nation’s biggest private health insurance providers – announced it had been hit by a “cyber incident”.

It has since emerged that almost 10 million Australians have had their personal data breached after the credentials of a staff member with high-level access to Medibank systems were obtained and sold to hackers on a Russian cybercriminal forum.

The group has been releasing highly sensitive customer data on a dark web blog linked to the REVil Russian ransomware group since last week, including information about people’s mental health status, drug and alcohol use and previous pregnancy terminations which may include non-viable pregnancy such as fetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infection.

Now, Bannister Law Class Actions and Centennial Lawyers have joined forces to investigate the serious data breach affecting around 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.

Bannister Law principal Charles Bannister told news.com.au lawyers had already been “inundated” with potential claimants, and said countless customers had already been seriously affected by the shocking breach.

He explained that many people have complained about their personal data being used to access bank accounts, while others, including those affected by domestic violence, were terrified after their addresses had been compromised – but added that the firm didn’t seem to “realise the impact of this leak”.

Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >

“There is understandably distressed victims of domestic violence as to their address details being made known. We are seeing widespread issues,” he said.

“Some individuals are literally living in fear for their lives if their addresses are made public, others live in fear of public ridicule, the loss of their employment and relationship break ups if their sensitive medical information is made public.

“Others are at risk of being blackmailed if their HIV status or other health information is made public. Some of Medibank and ahm’s clients will be police or security officers who are at great personal risk if their personal details and the details of their close family members become public.”

Bannister Law Class Actions revealed it had suggested 24 hour security for some claimants who have a high public profile and whose home address is strictly confidential, and pointed out Medibank had a duty to protect customers.

“Medibank promises to store members’ information securely and to have a range of security controls in place (including physical, technical and procedural safeguards) designed to protect personal information. They claim that their employees and contractors regularly receive targeted privacy training,” the company said in a statement.

“They claim (they) keep personal information for only as long as it is required in order to provide their members with products and services or to legitimately comply with their business and legal obligations and requirements. We have registrants whose policy was 10 years ago who have been notified that their data was included in the breach.

“Most importantly, they promise that where both possible and appropriate, that they will seek to de-identify personal information, so that an individual identity is not readily ascertainable from the de-identified information or from triangulating your de-identified information with other sources of information.”

It said that Medibank’s “failures” had “betrayed their members” and “exposed them to real harm”, and that “many people are distressed and anxious and have every right to be angry”.

Bannister Law Class Actions and Centennial Lawyers are now preparing legal proceedings to commence a class action, and expect to file proceedings shortly.

The legal firms urge all affected current and previous Medibank and ahm customers, including international customers, to register here.

A Medibank spokeswoman said the company “won’t speculate on potential litigation” but added that while it understood “several law firms are investigating a potential class action in relation to this cybercrime”, the firm had “not been contacted by any law firm regarding a class action”.

‘Scumbag’ hackers lashed

Last week, Home Affairs Minister Clare O’Neil slammed the “scumbag” hackers responsible for stealing the sensitive data from Medibank and publishing information about women who had terminated their pregnancies for a variety of reasons.

The information posted online on the dark web forum called ‘abortion’ included a spreadsheet with the names and personal details of 303 patients and policyholders along with the billing codes relating to terminations.

The group allegedly behind the hack also posted the data of more than 240 people in a file titled “boozy” last week, which included sensitive information about people’s mental health and alcohol issues.

“As a parliament and as a government, we stand with you,’’ Ms O’Neil told victims of the breach in Parliament.

“You are entitled to keep your health information private and what has occurred here is morally reprehensible and it is criminal.”

On Friday, the Australian Federal Police announced it had identified cyber criminals in Russia as the perpetrators of the Medibank hack, with AFP Commissioner Reece Kershaw urging Moscow to co-operate with the investigation.

“It’s important to note that Russia benefits from the intelligence sharing and data shared through Interpol and with that comes responsibilities and accountabilities,” Mr Kershaw told reporters.

However, Medibank chief executive David Koczkar warned that he expected the group to “continue to release stolen customer data each day”.

More Coverage

Cops reveal bombshell new Medibank details

Samantha Maiden

Demand to Russia over Medibank hackers

Courtney Gould and Catie McLeod

“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said in a statement on Friday morning.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.

“It’s obvious the criminal is enjoying the notoriety. Our single focus is the health and wellbeing and care of our customers.”