Custom
Custom

Register for the Medibank, Medibank OSHC and ahm data breach OAIC complaint & potential class action.

Are you a current or former Medibank, Medibank OSHC or ahm member, or have you been notified by Medibank or ahm that your personal information has been exposed?

Leading law firms Bannister Law Class Actions, Maurice Blackburn Lawyers, and Centennial Lawyers have joined forces to run a landmark data breach complaint against Medibank that could secure compensation payments for as many as 9.7 million affected customers.

What personal information has been released to the dark web?


Hackers have released the sensitive personal information of current and former Medibank and ahm members. The data is understood to include:


  • lock-unlock-2
    Name
  • lock-unlock-2
    Date of birth
  • lock-unlock-2
    Address
  • lock-unlock-2
    Phone number
  • lock-unlock-2
    Email address
  • lock-unlock-2
    HIV details
  • lock-unlock-2
    Drug and alcohol addiction cases
  • lock-unlock-2
    Mental health treatment status and claims
  • lock-unlock-2
    Information relating to the termination of pregnancy, including non-viable pregnancy, ectopic pregnancy, molar pregnancy, miscarriages, and readmission for complications.

Medibank and ahm data hack timeline

13 October 2022


Yesterday the Medibank Group detected unusual activity on its network. 


In response to this event, Medibank took immediate steps to contain the incident, and engaged specialised cyber security firms.


At this stage there is no evidence that any sensitive data, including customer data, has been accessed.


9 November 2022


Hackers release personal records to the dark web.


The data is understood to included names, birth dates, passport numbers and information on medical claims for hundreds of customers who were separated into "naughty" and "nice" lists.


Some on the "naughty" list had numeric codes that appeared to link them to drug addiction, alcohol abuse and HIV infection.


10 November 2022


Hackers release further personal records to the dark web.


The data in the file is understood to include procedures claimed by a policyholder related to the termination of pregnancy, including non-viable pregnancy, ectopic pregnancy, molar pregnancy, miscarriages, and readmission for complications.


11 November 2022


Hackers release further personal records to the dark web.


The new data released is believed to include mental health statuses, drug and alcohol addiction cases, and HIV details of another 241 customers.


14 November 2022


Hackers release further personal records to the dark web.


On Sunday night the group posted a file on its dark web blog labelled “psychos”, which contains hundreds of claims from policyholders that appear to be related to mental health treatment.


Medibank confirmed 500 records were included in the list, including 46 records from previous lists of released personal data.


20 November 2022


Hackers have released more stolen Medibank data, with the medical records of almost 1,500 customers released on Sunday on the dark web.


The data is believed to include information about mental health and chronic conditions.


Medibank on Sunday said four new files containing 1,496 records were released on the dark web over the weekend, of which 123 records had already been released. The company is analyzing the material to determine its accuracy, as previous files released by the hackers have not matched its records.


1 December 2022


Hackers are believed to have released 6.4 gigabytes 

of data on the dark web.

Medibank are conducting further analysis on the files today and at this stage believe:

• There are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole

• Much of the data is incomplete and hard to understand

• For example, health claims data released today has not been joined with customer name and contact details


16 January 2023


Leading law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers have joined forces to run a landmark data breach complaint against Medibank that could secure compensation payments for as many as 9.7 million affected customers.

  

The firms this week entered a joint cooperation agreement against Medibank and AHM in relation to the data breach. The firms have been investigating compensation claims and have already registered tens of thousands of Medibank customers.


Last November, Maurice Blackburn made a representative complaint to the Office of the Australian Information Commissioner (OAIC), which has the power to order compensation. The complaint alleges Medibank breached the Privacy Act 1988 (Cth) and failed to adequately protect the personal and health information of its current and former customers.


Under the co-operation agreement, the firms will now pursue the OAIC complaint seeking compensation for those affected by the data breach and consider the potential class action.

What information has been compromised?


Medibank Private has stated:


"Based on our investigation to date into this cybercrime we currently believe the criminal has accessed:


Name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.  This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers


Medicare numbers (but not expiry dates) for ahm customers


Passport numbers (but not expiry dates) and visa details for international student customers 


Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.  This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.  Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed


Health provider details, including names, provider numbers and addresses".

Am I affected?


If you are a current or former Medibank or ahm member, you are eligible to register to receive updates about the OAIC complaint or class action investigation into any potential action and compensation which may be sought on your behalf.


Registration is free. You do not need to pay anything to register for the OAIC complaint or potential class action.

Frequently asked questions

How long does it take to register?


It's quick and easy to register.

It should take you less than a minute to register your interest.

Can I use my mobile phone to register?


Yes, our registration page is optimised for mobile devices.

What is the Medibank and ahm data breach class action investigation about?


Leading law firms Bannister Law Class Actions, Maurice Blackburn Lawyers and Centennial Lawyers have joined forces to run a landmark data breach complaint against Medibank that could secure compensation payments for as many as 9.7 million affected customers. 

The firms this week entered a joint cooperation agreement against Medibank and AHM in relation to the data breach. The firms have been investigating compensation claims and have already registered tens of thousands of Medibank customers.

Under the co-operation agreement, the firms will now pursue the OAIC complaint seeking compensation for those affected by the data breach. 

Medibank has stated:

Based on our investigation to date into this cybercrime we currently believe the criminal has accessed:

Name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.  This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers

Medicare numbers (but not expiry dates) for ahm customers

Passport numbers (but not expiry dates) and visa details for international student customers 

Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.  This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.  Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed

Health provider details, including names, provider numbers and addresses

Who is eligible to participate in the Mebibank data breach class action investigation?


Anyone who is an existing or former Medibank, Medibank OSHC or ahm member, or have you been notified by Medibank or ahm that your personal information has been exposed is eligible to register.

What information do I need to register for the Medibank data breach class action investigation?


In order to register, you will need to provide us with:

- your name

- your telephone number

- email address 

I am no longer a member of Medibank or ahm, can I still register?


Yes, former Medibank, Medibank OSHC and ahm members are eligible to register.

How much does it cost to register?


Registration is free. You do not need to pay anything to register for the data breach investigation.

You have the option to engage Bannister Law Class Actions and Centennial Lawyers to act on your behalf. At this stage, the amount we estimate for fees is under the amount required by us to enter a costs agreement, which is $825 incl GST.

We will not charge any gap between what we recover in costs from Medibank and what the commissioner allows for your costs.

The costs are being conducted on ‘NO-WIN, NO FEE’ basis. 

Please note that, if after review of your survey of your circumstances, which you should receive shortly, we believe that you fall into a more serious category of those affected, then we may seek to enter a different costs agreement with you.

What is an OAIC Complaint?


The Office of the Australian Information Commissioner (OAIC) commenced its investigation on October 2022, which has the power to order compensation. The complaint alleges Medibank breached the Privacy Act 1988 (Cth) and failed to adequately protect the personal and health information of its current and former customers.

The OAIC is an independent national regulator for privacy and freedom of information. The OAIC promotes and upholds people's rights to access government-held information and have their personal information protected.

The OAIC acts as an impartial third party when investigating and resolving a complaint. Generally, their powers to consider and resolve complaints come from the Privacy Act.

A possible outcome for a complaint may be:

• Taking steps to address the matter (such as being given access to personal information or having a record corrected)

• An apology

• A change to the practices or procedures of the organisation or agency complained about

• Training staff

• Compensation for financial or non-financial loss

• Other non-financial options (such as a complimentary subscription to a service

• No result

In some situations, the OAIC may also accept an undertaking from the organisation or agency complained about to do, or stop doing, a specific thing so they don’t breach the Privacy Act. If they fail to meet the undertaking, the OAIC can ask a court to enforce it.

Where a breach of privacy is very serious, the OAIC may seek a civil penalty. 

Who are the lawyers?


Centennial Lawyers is probably the only firm to have run and settled a court-based class action case in Australia for data breaches against the Ambulance Service of NSW. Evans v Health Administration Corporation [2019] NSWC 1781

George Newhouse is the Principal Solicitor of the National Justice Project and an Adjunct Professor of Law at Macquarie University. He is well known for his work in fighting for justice for people experiencing mental health issues, LGBTIQ+, immigrants, prisoners, asylum seekers, youth detainees, and First Nations people.

Maurice Blackburn Lawyers is a leading Australian class actions law firm with an unparalleled record of helping clients secure the nations’ largest class actions recoveries, totaling over $3.7 billion since 1998.

Bannister Law Class Actions has a proven track record on major class actions in Australia such as running the Toyota Class Action which resulted in one of the first aggregate damages awards and an amount in excess of $2 billion.

Does this investigation have the potential to become a class action?


Yes. We are still considering the potential for this data breach investigation to become a class action, and will ultimately act in the best interests of group members. 

A class action is a court proceeding in which seven or more than seven people (the class/the group) are suing one person or company for similar reasons (in legal language, it is called common issues of law or facts). One or more of the individuals in the group can start the case on behalf of the class.

The class action process is intended to save time and expense and avoids the need for the court to determine common issues of fact or law more than once for each of the group members. It enables disputes and claims involving large numbers of people to be resolved via a single case.


Why should I register?


When you register, you will need to provide your details and information about your claims to Bannister Law Class Actions and Centennial Lawyers. 

You will receive our matter updates if you register, and reminders for key dates of court events if the matter proceeds.

Do I need to provide details of all members under my policy?

At this stage, you only need to register your own contact details to receive updates. At a later stage, we may request more information and ask you to register the details of any other affected person that you represent (for example, family members).



Resources

If you have been affected by the Medibank or ahm data breach, we encourage you to look at the following resources to help protect yourself:

If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE on 1800 595 160.

beyondblue

Information and support for anxiety and depression

Phone: 1300 224 636

Chat online every day from 3pm to 12am (AEST), or email any time

Lifeline

Personal crisis support

Phone: 13 11 14

Lifeline’s online chat service is available every night

Kids Helpline

Support for young people any time and for any reason

Phone: 1800 55 1800

You can also chat to a web counsellor from 12pm to 10pm (AEST) on weekdays and 10am to 10pm (AEST) on weekends, or email a Kids Helpline counsellor any time

Suicide Call Back Service

Phone: 1300 659 467

Suicide Call Back Service is a free nationwide service providing 24/7 phone and online counselling to people affected by suicide.

Headspace

Phone: 1800 650 890

Each year, we help thousands of young people, and their family and friends, access vital support through our headspace services in over 145 communities across Australia, our online and phone counselling services, our vocational services, and our presence in schools.  

ReachOut

Website: au.reachout.com

A safe place to chat anonymously, get support, and feel better.

MensLine Australia

Phone: 1300 789 978

MensLine Australia is a free telephone and online counselling service offering support for Australian men anywhere, anytime.

Care Leavers Australasia Network (CLAN)

Phone: 1800 008 774

We are here to listen, hear, believe and acknowledge all Care Leavers’ experiences and to raise awareness about the abuse, neglect and trauma they suffered. We are here to help you, not harm you.

Head to Health

Website: headtohealth.gov.au

Find digital mental health resources from trusted service providers

If the Medibank and ahm data breach causes you distress, try to reach out to family or friends or a support service below for help.

If you are in immediate direct or imminent physical harm as a result of your information being compromised by the Medibank or ahm data breach, please call 000 and seek assistance.

Medibank Data Breach News

19 January 2023

18 January 2023

17 January 2023

16 January 2023

MEDIBANK PRIVATE & AHM CLASS ACTION INVESTIGATION & OAIC COMPLAINT.

Leading law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers have joined forces to run a landmark data breach complaint against Medibank that could secure compensation payments for as many as 9.7 million affected customers.

The firms this week entered a joint cooperation agreement against Medibank and AHM in relation to the data breach. The firms have been investigating compensation claims and have already registered tens of thousands of Medibank customers.

Last November, Maurice Blackburn lodged a formal representative complaint against Medibank with the Office of the Australian Information Commissioner, which has the power to order compensation.

Under the co-operation agreement, the firms will now pursue the OAIC complaint seeking compensation for those affected by the data breach.

Bannister Law Class Actions Principal Charles Bannister said he hoped the co-operation agreement would lead swiftly to compensation payments to the millions of Medibank customers whose data was breached.

“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act. Medibank has a duty to keep this kind of information confidential” Mr Bannister said.

“The data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank & AHM have failed policy holders.” Said Adjunct Professor George Newhouse of Centennial Lawyers.

Maurice Blackburn’s head of class actions Andrew Watson said the cooperation agreement was a significant development.

“This data breach has caused millions of Australians significant distress. The cooperation agreement ensures that all three law firms are working together for the common aim of obtaining compensation for those affected as quickly as possible.”

On 13 October 2022, Medibank Private Limited confirmed in an ASX release that it had detected “unusual activity” on its network on 12 October 2022. By 20 October 2022, Medibank disclosed that its customer data had been accessed and stolen by a third party. Medibank has since confirmed that about 9.7 million current and former Medibank, AHM and international student customers, and some of their authorised representatives, had personal data and significant amounts of health claim data accessed in the Data Breach.

If you are a current or former Medibank, AHM or international student customer you are eligible to register to receive regular updates about the Complaint and any compensation which may be sought on your behalf.

12 December 2022

8 December 2022

6 December 2022

2 December 2022

1 December 2022

25 November 2022

23 November 2022

22 November 2022

21 November 2022

20 November 2022

19 November 2022

17 November 2022

16 November 2022

15 November 2022

14 November 2022

13 November 2022

12 November 2022

11 November 2022

10 November 2022

9 November 2022