Sarah's* children have been insured under her Medibank family health insurance policy almost since they were born.
When she heard the company had been hacked — and the attacker had access to all Medibank customers' personal data and "significant amounts" of health claims data — she was furious.
Her kids are aged 12 and 9, and she has no idea if or what information about them may now be out there on the internet, or what to do.
"I feel like some dark shadowy force has the data," Sarah said.
"We're not quite sure what to do to protect the kids and their identity."
Since the Medibank breach was disclosed on October 13, the ABC has been contacted by parents concerned their children may be caught up in the data breach, and about the sensitivity of the information that may have been exposed.
A Medibank spokesperson confirmed some of the sample stolen data already shared with the company by the hacker included customers under the age of 18.
More broadly, they were also able to access personal data and health claims data for people who are or were under 18, but the full extent of the theft has not yet been established.
"We continue working to understand the specific data that has been accessed or removed by the criminal," the spokesperson said.
Along with personal information like address or date of birth, health claims data could reveal what kind of medical services someone has received, and potentially what illnesses or injuries they may be dealing with.
While adults are also at risk of scams or stigma due to the disclosure of health records, children are a special case — particularly because they don't always get a say about what carers sign them up for or share, said Megan Prictor, senior lecturer at Melbourne Law School.
A medical data leak could have implications in family violence situations, for example, if data revealed home addresses or healthcare service locations regularly used by a child.
'You're stuck with your medical history'
The longevity of harm is also of particular concern: the possibility that leaked data could be linked to children for life, along with the potential for discrimination associated with certain health conditions or care received in childhood.
"It's not like you can change a phone number or get a new driver's license," Dr Prictor said.
"Health data is unchangeable. You're stuck with your medical history."
Sarah has a chronic bowel disease, and her son is being investigated for the same issue. If his data is exposed, she's worried about how it might follow him in the future — when he applies for jobs, for example.
"Someone now knows that this nine-year-old kid potentially has this disease," she speculated.
"Who he decides to disclose that to in the future, that's his choice. It feels like that choice has been taken away."
Children need better privacy protections: experts
The Medibank hack has affected both past and present customers. The company has said it must store customer data for seven years under health record laws in the NSW, Victoria, and the ACT.
For individuals under 18, it must keep records until they are at least 25.
Unlike the United States or Europe, Australia does not have any federal data privacy law specifically for children. The Privacy Act, which is currently under review, is not age limited.
Dr Prictor, along with other privacy experts, argues we need to give much more consideration to data minimisation and data disposal — making companies collect only what they really need, then get rid of it properly — as well as forcing all institutions that hold our data to better protect that information.
A code that ensures companies are acting with the best interests of children in mind when it comes to their data is long overdue, according to Reset Australia executive director Chris Cooper.
"Other jurisdictions have already provided these protections to young people, including the UK, Ireland and California, and Australia needs to follow suit," he said in a statement.
Lauren Solomon, a senior researcher at the University of Technology Sydney Human Technology Institute, said Australia should also ensure the rights and values of children were better reflected in data privacy law.
Ms Solomon also pointed to the increasing collection of biometric information, like face or fingerprints, and how that might affect children who don't get a say in when it's shared.
"You can't change your face. You can't change your fingerprint.
"This is the reality, and the law needs to evolve to respond meaningfully."
For now, Sarah is waiting for Medibank to tell her whether or not her family's data has been stolen.
But she certainly doesn't want to hear about the insurer's bosses getting bonuses any time soon.
"You'd think that every Australian company was working 24-7 to get their systems locked down [after Optus]," she said.
"I'm just scared that after the initial attention and outrage, we'll all move on.
"Someone needs to be held accountable."
*Name has been changed to protect privacy