Current and former Medibank, ahm and international customers whose data was stolen.
Centennial Lawyers is investigating the impact of the 2022 Medibank cyberattack on current and former Medibank Private and ahm customers whose personal and health data was stolen and published on the dark web. The Office of the Australian Information Commissioner (OAIC) has also filed civil penalty proceedings against Medibank in the Federal Court.
Only an email address or mobile number is requested at this stage. You do not need to provide your name, documents or details about your circumstances to receive updates.
Current and former Medibank, ahm and international customers whose data was stolen.
Medibank detected unusual activity on 12–13 October 2022 and notified the ASX.
Sensitive health claims data including diagnosis codes, treatments and procedures.
OAIC civil penalty proceedings filed June 2024. Centennial Lawyers investigation open. Registrations accepted.
This keeps communications linked to the correct matter record. Official email communications may be sent from updates@medibankdatabreach.com.au.
In October 2022, a cybercriminal gained access to Medibank’s systems and exfiltrated data belonging to current and former Medibank Private, ahm and international student health cover customers. After Medibank refused to pay the ransom, the attacker published the stolen data on the dark web beginning in November 2022.
The exposed data included names, dates of birth, addresses, phone numbers, email addresses, Medicare card numbers, passport numbers and — for approximately 480,000 customers — sensitive health claims information including diagnosis codes, treatment details and provider names.
The timeline separates confirmed public facts from matters that remain under legal proceedings.
A cybercriminal obtained Medibank employee credentials via malware and used them to access Medibank’s corporate VPN and internal systems.
Medibank detected unusual activity on its systems and made an ASX disclosure. The OAIC was notified under the Notifiable Data Breaches scheme.
Medibank confirmed that data belonging to 9.7 million current and former customers had been stolen, including sensitive health claims data for approximately 480,000 customers.
After Medibank refused to pay the ransom demand, the attacker began releasing stolen customer data on the dark web, including sensitive health records.
The Australian Government, in coordination with the US and UK, identified and sanctioned Russian national Aleksandr Ermakov as the perpetrator of the cyberattack.
The Office of the Australian Information Commissioner filed civil penalty proceedings against Medibank in the Federal Court, alleging serious and repeated interferences with privacy.
Centennial Lawyers is accepting registrations from current and former Medibank and ahm customers affected by the data breach. The OAIC civil penalty proceedings against Medibank remain ongoing in the Federal Court.
The data stolen varies by customer. You do not need to confirm the affected data to register for updates.
In June 2024 the OAIC filed civil penalty proceedings against Medibank in the Federal Court, alleging serious and repeated interferences with the privacy of customers under the Privacy Act 1988 (Cth). This is a regulatory action brought by a government body — individual customers do not need to join or take any action to participate.
Provide one contact method only. You can receive updates without providing your name, circumstances or documents at this stage.
In August 2022 a cybercriminal obtained Medibank employee credentials via malware and used them to access Medibank’s internal systems. By October 2022, Medibank detected unusual activity and notified the ASX and the OAIC. The attacker exfiltrated data belonging to approximately 9.7 million current and former Medibank Private, ahm and international student health cover customers. After Medibank refused to pay the ransom, the attacker published stolen customer data on the dark web from November 2022 onwards.
You may be affected if you were a current or former Medibank Private customer, an ahm customer, or an international student health cover customer whose data was held by Medibank at the time of the breach. Approximately 480,000 customers had sensitive health claims data exposed, including diagnosis codes, treatment details and mental health records.
Stolen data included names, dates of birth, addresses, phone numbers, email addresses, Medicare card numbers, and passport numbers. For approximately 480,000 customers, sensitive health claims data was also exposed — including diagnosis codes, medical procedure codes, treatment details, health provider names, mental health and drug and alcohol treatment records, and pregnancy termination records.
In June 2024 the Office of the Australian Information Commissioner (OAIC) filed civil penalty proceedings against Medibank in the Federal Court of Australia, alleging serious and repeated interferences with the privacy of customers under the Privacy Act 1988 (Cth). This is a regulatory action brought by a government body on behalf of the public. Individual customers do not need to join or take any separate action to participate — the OAIC is acting in the public interest. Centennial Lawyers is conducting a parallel legal investigation on behalf of affected customers.
Centennial Lawyers is a plaintiff law firm conducting the legal investigation on behalf of affected Medibank and ahm customers. Centennial Lawyers is assessing potential legal options arising from the breach and will provide updates to registered individuals as the investigation progresses.
No. Registration for updates is completely free and carries no obligation. You will not be charged anything, and registering does not commit you to any legal action or create a solicitor–client relationship.
You will receive updates about the Medibank investigation as it progresses. You do not need to provide your name, documents or details about your circumstances at this stage. If the investigation advances to a formal legal proceeding you will be notified and given the opportunity to provide further information if relevant.
Your contact detail is collected solely to send you updates about the Medibank investigation and is handled in accordance with the Privacy Act 1988 (Cth). Only a single contact method (email address or mobile number) is required at registration stage. Your information will not be used for any purpose other than investigation updates without your separate consent. Full details are set out in the Privacy Policy and Collection Notice linked in the footer.
Key developments in the Medibank data breach investigation and OAIC civil penalty proceedings.
Centennial Lawyers has commenced its investigation into potential claims arising from the 2022 Medibank data breach. Affected current and former Medibank Private and ahm customers are encouraged to register for updates. Only a single contact method is required at this stage.
The Office of the Australian Information Commissioner filed civil penalty proceedings against Medibank Private Limited in the Federal Court of Australia in June 2024. The OAIC alleges serious and repeated interferences with the privacy of approximately 9.7 million Australians in contravention of the Privacy Act 1988 (Cth). Penalties under the Privacy Act can be significant.
In January 2024, the Australian Government — in coordination with the United States and United Kingdom — publicly identified and sanctioned Russian national Aleksandr Ermakov as the individual responsible for the Medibank cyberattack. This was the first time Australia had imposed a cyber sanction on an individual.
In August 2023 the Federal Court of Australia consolidated the competing class actions arising from the Medibank data breach into a single proceeding. Registrations for the consolidated proceeding remained open for affected customers.
Medibank confirmed on 7 November 2022 that data belonging to 9.7 million current and former customers had been stolen. After Medibank refused to pay the ransom, the attacker began publishing stolen data on the dark web from 9 November 2022, including sensitive health records for approximately 480,000 customers.
The primary public hub for the breach timeline, affected groups, OAIC civil penalty proceedings, and investigation registration.
The wider registry of Australian class actions and legal investigations, maintained by ClassActions.com.au as the authoritative public resource.