Compensation proceedings begin for Medibank customers over cyber attack

Are you a Medibank customer? You may be entitled to compensation after Russian hackers stole your health records and other sensitive data.

Jared Lynch and Greg Brown

2 min read

5:11PMNovember 13, 2022

The Australian Business Network

Law firm Maurice Blackburn is investigating whether Medibank customers are entitled to compensation.

An investigation has begun to determine whether Medibank customers will be entitled to compensation after Russian cyber criminals published their health records, including treatments for drug dependency, alcohol abuse and abortions.

Melbourne-headquartered law firm Maurice Blackburn has confirmed it was investigating a legal claim against Medibank after almost 10 million of its current and former customers had their personal data exposed in one of Australia’s biggest cyber heists.

The investigation came as Australian companies could be banned from making ransom payments to cyber criminals under reforms being considered by the Albanese government.

Home Affairs Minister Clare O’Neil flagged the potential law change as she accused Russian President Vladimir Putin of harbouring cyber criminals who were targeting Australians, after the Australian Federal Police on Friday revealed the Medibank hack came from Russian syndicates with a history of conducting “significant breaches in countries around the world”.

Ms O’Neil said there needed to be long-term reforms as well as immediate responses to the hacking of the systems of Medibank and Optus, with the government to consider making ransomware payments illegal. “I think it is pretty clear that Medibank was right not to pay the ransom because I have never seen people that lack a moral code so clearly than the hackers who are releasing data about Australians online,” she told ABC’s Insiders. “The idea that we are going to trust these people to delete data that they have taken off and may have copied a million times is just frankly silly.

“We don’t want to fuel the ransomware business model and that is what happens when ransoms are paid.”

Medibank has been contacted for comment.

Other information stolen by the Russian hackers – who accessed Medibank’s customer database after buying one of the company’s high level logins from an online criminal forum – include the names, dates of birth, phone numbers, email addresses and some Medicare and passport numbers of policyholders.

New task force announced to combat cybercriminals

The hackers have escalated their assault on Australia’s biggest health insurer after chief executive David Koczkar said the company had refused to pay a $15m ransom.

Already, the cyber criminals have published three tranches of sensitive customer data on the dark web, with Mr Koczkar warning of more leaks to come.

Maurice Blackburn principal lawyer Andrew Watson said the firm was “carefully reviewing” the latest breach and investigating whether customers were entitled to compensation.

“Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” Mr Watson said.

“As custodians of customers’ personal health information, Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers, including appropriate security and monitoring systems to protect against unauthorised access or disclosure of that data.

“Medibank, ahm and international student customers will understandably feel very vulnerable and distressed as a result of this incident.”

Mr Putin has made clear in the past he would “never” extradite Russian nationals charged with cyber offences in the West, such as the interference with the US election, of which 13 nationals are accused.

Ms O’Neil said neither Optus nor Medibank had fulfilled their duties in safeguarding the information of customers, but warned it was a broader national issue, with the government holding more data than the private sector.