Three law firms are pursuing compensation potentially worth billions of dollars for the Medibank customers affected by a massive data breach at the health insurer, while an investigation into a potential class action against Optus for its data breach is progressing.
Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers on Monday confirmed they are pursuing Medibank on behalf of customers, by running a joint data breach complaint with the privacy regulator.
Based on the watchdog’s previous compensation determinations for data breaches, the payout could cost the insurer up to between $4.84 billion and $194 billion because of the number of customers involved.
Around 9.7 million current and former customers of Medibank and budget subsidiary ahm had their personal information, including names, dates of birth, address, phone numbers and email addresses, as well as sensitive data about claims, compromised in the data breach in September. Some of the data was then released to the dark web, according to the company.
Along with the Optus incident also reported that month, the events are considered some of the largest data breaches in Australia to date and have led to bigger penalties and other policy responses.
The Office of the Australian Information Commissioner (OAIC) received a complaint about the Medibank incident from Maurice Blackburn in November. The regulator launched an investigation in early December as it was also probing the Optus data breach.
InnovationAus.com understands a potential Optus class action investigation by another law firm, Slater and Gordon, is also well advanced. But the firm has not yet lodged a statement of claim.
Maurice Blackburn Lawyers, Bannister Law Class Actions on Monday announced the companies would partner on a joint cooperation agreement against Medibank and ahm after registering tens of thousands of customers.
“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act,” Bannister Law Class Actions principal Charles Bannister said in a statement.
“Medibank has a duty to keep this kind of information confidential.”
The trio will go through the OAIC, which has the power to award compensation. The watchdog has previously said compensation for non-economic loss resulting from a data breach compromising personal information may range from $500 to more than $20,000 for “extreme loss”.
“The data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and ahm have failed policy holders,” Adjunct Professor George Newhouse of Centennial Lawyers said.
Medibank was contacted for comment.
