Official matter website: MedibankDataBreach.com.au
Medibank Data Breach
Public information and investigation registration
Register for updates
Investigation open

Medibank Data Breach Investigation

Centennial Lawyers is investigating the impact of the 2022 Medibank cyberattack on current and former Medibank Private and ahm customers whose personal and health data was stolen and published on the dark web. The Office of the Australian Information Commissioner (OAIC) has also filed civil penalty proceedings against Medibank in the Federal Court.

Register for updates Review the known facts

Only an email address or mobile number is requested at this stage. You do not need to provide your name, documents or details about your circumstances to receive updates.

Customers affected
9.7 million

Current and former Medibank, ahm and international customers whose data was stolen.

Breach detected
October 2022

Medibank detected unusual activity on 12–13 October 2022 and notified the ASX.

Health records stolen
~480,000

Sensitive health claims data including diagnosis codes, treatments and procedures.

Investigation status
Investigation open

OAIC civil penalty proceedings filed June 2024. Centennial Lawyers investigation open. Registrations accepted.

Official communication channels

Use the website forms for all registrations and enquiries

This keeps communications linked to the correct matter record. Official email communications may be sent from updates@medibankdatabreach.com.au.

Fraud and document warning
We will not ask by unsolicited email for passwords, banking credentials or identity document copies. Do not email sensitive documents unless requested through an authorised portal communication.
Why you may be affected

9.7 million Medibank and ahm customers had their data stolen and published online

In October 2022, a cybercriminal gained access to Medibank’s systems and exfiltrated data belonging to current and former Medibank Private, ahm and international student health cover customers. After Medibank refused to pay the ransom, the attacker published the stolen data on the dark web beginning in November 2022.

The exposed data included names, dates of birth, addresses, phone numbers, email addresses, Medicare card numbers, passport numbers and — for approximately 480,000 customers — sensitive health claims information including diagnosis codes, treatment details and provider names.

Incident chronology

Verified public timeline

The timeline separates confirmed public facts from matters that remain under legal proceedings.

  1. August 2022
    Attacker

    Initial access obtained

    A cybercriminal obtained Medibank employee credentials via malware and used them to access Medibank’s corporate VPN and internal systems.

  2. 12–13 October 2022
    Medibank / ASX

    Breach detected and disclosed

    Medibank detected unusual activity on its systems and made an ASX disclosure. The OAIC was notified under the Notifiable Data Breaches scheme.

  3. 7 November 2022
    Medibank

    Full extent revealed — 9.7 million customers

    Medibank confirmed that data belonging to 9.7 million current and former customers had been stolen, including sensitive health claims data for approximately 480,000 customers.

  4. 9 November 2022 onwards
    Attacker / Dark web

    Stolen data published on dark web

    After Medibank refused to pay the ransom demand, the attacker began releasing stolen customer data on the dark web, including sensitive health records.

  5. March 2024
    Australian Government

    Attacker identified and sanctioned

    The Australian Government, in coordination with the US and UK, identified and sanctioned Russian national Aleksandr Ermakov as the perpetrator of the cyberattack.

  6. June 2024
    OAIC

    OAIC files civil penalty proceedings

    The Office of the Australian Information Commissioner filed civil penalty proceedings against Medibank in the Federal Court, alleging serious and repeated interferences with privacy.

  7. Current
    Centennial Lawyers

    Centennial Lawyers investigation — registrations open

    Centennial Lawyers is accepting registrations from current and former Medibank and ahm customers affected by the data breach. The OAIC civil penalty proceedings against Medibank remain ongoing in the Federal Court.

Information involved

What types of data were stolen?

The data stolen varies by customer. You do not need to confirm the affected data to register for updates.

Personal and identity information

  • Names
  • Dates of birth
  • Addresses
  • Phone numbers and email addresses
  • Medicare card numbers
  • Passport numbers and visa details

Sensitive health claims data

  • Diagnosis codes
  • Medical procedure codes
  • Treatment and service details
  • Health provider names
  • Mental health, drug and alcohol treatment records
  • Pregnancy termination records

Health insurance information

  • Policy details
  • Membership numbers
  • Benefit and claims history
Who is affected

Individuals who may be eligible

  • Current or former Medibank Private customers
  • Current or former ahm customers
  • International student health cover customers
  • Customers whose sensitive health claims data was published on the dark web
  • Customers notified by Medibank of the breach
  • Anyone whose Medicare number, passport or personal data was stolen
Regulatory proceedings

OAIC civil penalty action

In June 2024 the OAIC filed civil penalty proceedings against Medibank in the Federal Court, alleging serious and repeated interferences with the privacy of customers under the Privacy Act 1988 (Cth). This is a regulatory action brought by a government body — individual customers do not need to join or take any action to participate.

  • Filed June 2024 in the Federal Court
  • Alleges Medibank failed to take reasonable steps to protect personal information
  • Penalties can be significant under the Privacy Act
  • No individual action required to be covered by the OAIC proceedings
Minimal registration

Register for investigation updates

Provide one contact method only. You can receive updates without providing your name, circumstances or documents at this stage.

Preferred contact method

No name, address or documents are requested at this stage.

Frequently asked questions

Common questions about the Medibank investigation

What happened in the Medibank data breach?

In August 2022 a cybercriminal obtained Medibank employee credentials via malware and used them to access Medibank’s internal systems. By October 2022, Medibank detected unusual activity and notified the ASX and the OAIC. The attacker exfiltrated data belonging to approximately 9.7 million current and former Medibank Private, ahm and international student health cover customers. After Medibank refused to pay the ransom, the attacker published stolen customer data on the dark web from November 2022 onwards.

Who is affected?

You may be affected if you were a current or former Medibank Private customer, an ahm customer, or an international student health cover customer whose data was held by Medibank at the time of the breach. Approximately 480,000 customers had sensitive health claims data exposed, including diagnosis codes, treatment details and mental health records.

What data was exposed?

Stolen data included names, dates of birth, addresses, phone numbers, email addresses, Medicare card numbers, and passport numbers. For approximately 480,000 customers, sensitive health claims data was also exposed — including diagnosis codes, medical procedure codes, treatment details, health provider names, mental health and drug and alcohol treatment records, and pregnancy termination records.

What is the OAIC civil penalty proceeding?

In June 2024 the Office of the Australian Information Commissioner (OAIC) filed civil penalty proceedings against Medibank in the Federal Court of Australia, alleging serious and repeated interferences with the privacy of customers under the Privacy Act 1988 (Cth). This is a regulatory action brought by a government body on behalf of the public. Individual customers do not need to join or take any separate action to participate — the OAIC is acting in the public interest. Centennial Lawyers is conducting a parallel legal investigation on behalf of affected customers.

Who is Centennial Lawyers?

Centennial Lawyers is a plaintiff law firm conducting the legal investigation on behalf of affected Medibank and ahm customers. Centennial Lawyers is assessing potential legal options arising from the breach and will provide updates to registered individuals as the investigation progresses.

Does it cost anything to register?

No. Registration for updates is completely free and carries no obligation. You will not be charged anything, and registering does not commit you to any legal action or create a solicitor–client relationship.

What happens after I register?

You will receive updates about the Medibank investigation as it progresses. You do not need to provide your name, documents or details about your circumstances at this stage. If the investigation advances to a formal legal proceeding you will be notified and given the opportunity to provide further information if relevant.

How is my personal information handled?

Your contact detail is collected solely to send you updates about the Medibank investigation and is handled in accordance with the Privacy Act 1988 (Cth). Only a single contact method (email address or mobile number) is required at registration stage. Your information will not be used for any purpose other than investigation updates without your separate consent. Full details are set out in the Privacy Policy and Collection Notice linked in the footer.

News and updates

Investigation and proceeding updates

Key developments in the Medibank data breach investigation and OAIC civil penalty proceedings.

Investigation update July 2025

Centennial Lawyers investigation open — registrations accepted

Centennial Lawyers has commenced its investigation into potential claims arising from the 2022 Medibank data breach. Affected current and former Medibank Private and ahm customers are encouraged to register for updates. Only a single contact method is required at this stage.

Regulatory action June 2024

OAIC files civil penalty proceedings against Medibank

The Office of the Australian Information Commissioner filed civil penalty proceedings against Medibank Private Limited in the Federal Court of Australia in June 2024. The OAIC alleges serious and repeated interferences with the privacy of approximately 9.7 million Australians in contravention of the Privacy Act 1988 (Cth). Penalties under the Privacy Act can be significant.

Law enforcement January 2024

Attacker identified and sanctioned by Australian, US and UK governments

In January 2024, the Australian Government — in coordination with the United States and United Kingdom — publicly identified and sanctioned Russian national Aleksandr Ermakov as the individual responsible for the Medibank cyberattack. This was the first time Australia had imposed a cyber sanction on an individual.

Court August 2023

Federal Court consolidates competing class actions

In August 2023 the Federal Court of Australia consolidated the competing class actions arising from the Medibank data breach into a single proceeding. Registrations for the consolidated proceeding remained open for affected customers.

Breach November 2022

Medibank confirms 9.7 million customers affected — data published on dark web

Medibank confirmed on 7 November 2022 that data belonging to 9.7 million current and former customers had been stolen. After Medibank refused to pay the ransom, the attacker began publishing stolen data on the dark web from 9 November 2022, including sensitive health records for approximately 480,000 customers.

MedibankDataBreach.com.au

Investigation information and registration

The primary public hub for the breach timeline, affected groups, OAIC civil penalty proceedings, and investigation registration.

ClassActions.com.au

Australian class actions registry

The wider registry of Australian class actions and legal investigations, maintained by ClassActions.com.au as the authoritative public resource.