Bannister Law Class Actions, Centennial Lawyers and Maurice Blackburn have joined forces to pursue compensation for customers affected by the ransomware attack on Medibank last year.
Maurice Blackburn filed a formal representative complaint to the Office of the Australian Information Commissioner, which has the power to order compensation for data breaches, in November.
Under the joint cooperation agreement, the three firms will jointly seek orders for compensation from the OAIC.
Tens of thousands of the health insurer’s current and former customers had already signed up to the lawsuit, a joint release said.
Maurice Blackburn head of class actions Andrew Watson said, “the cooperation agreement ensures that all three law firms are working together for the common aim of obtaining compensation for those affected as quickly as possible.”
Medibank confirmed the breach on October 13 in an ASX release.
On November 7, it published a granular analysis detailing that the names, dates of birth, addresses, phone numbers, and email addresses of 9.7 million policy-holders had been stolen, including 5.1 million Medibank customers, 2.8 million customers of Medibank-owned subsidiary AHM and 1.8 million international customers.
Around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers also had their health claims data, including provider name and location, and procedure and diagnostic claim codes, exposed.
The Russia-based ransomware gang behind the hack, REvil, published victims’ information over its darkweb Happy Blog in November and December after Medibank’s board of directors refused to pay the 10 millions USD (A$15.5 million) ransom, including an ‘abortion’ file containing 303 patients’ details related to pregnancy terminations.
Emails between REvil and Medbank, revealed the gang infiltrated Medibank’s systems through purchasing a login credential that had been stolen from a Medibank employee or subcontractor and using it to access one of the health insurance provider’s virtual private networks.
While the joint release said that the law firms would pursue compensation through OAIC, Centennial Lawyers principal solicitor George Newhouse told the Australian Financial Review last year that other options for a class action included suing for breach of contract or breach of privacy.
Whether a right to sue for breach of privacy existed might need to be settled by the High Court, Newhouse said at the time.
One of closest precedents to the lawsuit is a case Centennial Lawyers won in 2019 on behalf of ambulance workers whose data was stolen by one of their employer’s contractors.
The NSW Health Department was ordered to pay 108 of its employees $275,000 in compensation.
The NSW Supreme Court found that the agency failed to prevent the theft of the ambulance workers’ data, which the contractor sold to a personal injury lawyer.