Medibank Data Breach
Follow the Medibank data breach claims investigation.
No cost · No obligation · Updates only
Key facts
About this matter
Separate from the Federal Court class action, Medibank is also the subject of an OAIC representative complaint lodged by Maurice Blackburn. The OAIC notice states that it accepted the representative complaint on 30 March 2023. The complaint alleges that Medibank interfered with the privacy of affected individuals by failing to comply with Australian Privacy Principle 11, which requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. The OAIC expressly states that this representative complaint is separate from the Federal Court class action.
The OAIC representative complaint pathway may provide a mechanism for affected individuals to seek compensation or other remedies through the privacy regulator rather than directly through the Federal Court class action. Maurice Blackburn says the breach involved millions of current and former Medibank, ahm and international student account holders. Its public page states that the OAIC has been considering submissions about the process for assessing harm and finalising the matter.
Medibank is also facing separate civil penalty proceedings brought by the Australian Information Commissioner in the Federal Court. On 5 June 2024, the OAIC announced that it had filed civil penalty proceedings against Medibank in relation to the October 2022 breach. The Commissioner alleges that Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure. Medibank has indicated that it intends to defend those proceedings.
The OAIC allegations include serious questions about Medibank's cyber security controls. ABC reporting on court documents stated that the OAIC alleged the breach stemmed from compromised credentials associated with a contractor's IT service desk account and that the absence of multi-factor authentication was a key issue. These allegations remain part of contested legal proceedings and should be described as allegations unless and until determined by the court.
News & Updates
Frequently Asked Questions
10 questions answered
What happened in the Medibank data breach?
In October 2022, Medibank Private confirmed that a criminal threat actor had gained unauthorised access to its systems and extracted data belonging to approximately 9.7 million current and former customers, including ahm and international student policyholders. The stolen data included names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, and — for many customers — sensitive health claims information including diagnosis codes and procedure details. Medibank refused to pay the ransom demanded. The threat actor subsequently released the stolen data on the dark web in multiple tranches.
Who was affected by the breach?
Approximately 9.7 million current and former Medibank Private, ahm, and international student customers were affected. Health claims data — which is among the most sensitive personal information that exists — was accessed for a significant subset of those customers. The breach is one of the largest health data breaches in Australian history.
Was the stolen data actually released publicly?
Yes. After Medibank refused to pay the ransom, the threat actor released the stolen data on the dark web in multiple tranches beginning in November 2022. This included files labelled "good-list" and "naughty-list" containing sensitive health information. The release on the dark web is a separate and serious harm to affected customers — it exposed them to risks of identity theft, fraud, and reputational damage.
What is the OAIC complaint about?
The Office of the Australian Information Commissioner (OAIC) investigated the breach and filed a civil penalty complaint against Medibank Private in the Federal Court of Australia. The OAIC alleges that Medibank failed to take reasonable steps to protect the personal information it held, in breach of the Australian Privacy Act 1988. This is a regulatory proceeding brought by the Commissioner — it is separate from the consumer class action proceeding (McClure v Medibank Private Ltd, VID64/2023).
What are the OAIC civil penalty proceedings?
The OAIC commenced civil penalty proceedings in the Federal Court of Australia against Medibank Private, alleging serious and repeated interferences with privacy under the Privacy Act 1988. Civil penalty proceedings can result in substantial financial penalties if the court finds Medibank failed to meet its legal obligations to protect customer data. These proceedings are ongoing — this page will publish significant court steps and public outcomes as they occur.
What was the Deloitte report and what happened in the Full Federal Court?
Medibank commissioned a cybersecurity review by Deloitte following the breach. Litigation over access to the Deloitte report has been a significant procedural issue in the civil penalty proceedings — specifically, whether the report is protected from disclosure. The Full Federal Court has been involved in determining questions related to use of the Deloitte report as evidence. The outcome of that interlocutory dispute affects what information is available to the OAIC and the court in assessing Medibank's conduct before and after the breach.
Is there a shareholder class action against Medibank?
Yes. A separate shareholder class action has been filed against Medibank Private. The shareholder class action relates to alleged misleading or deceptive conduct and breaches of continuous disclosure obligations — specifically, whether Medibank adequately disclosed its cybersecurity risks to shareholders before and after the breach became public. This is a distinct proceeding from both the OAIC civil penalty case and the Federal Court consumer class action.
How does this matter differ from the Federal Court class action (McClure v Medibank)?
There are multiple overlapping but distinct proceedings arising from the Medibank breach. This matter covers the broader breach ecosystem — the OAIC complaint, the civil penalty proceedings, the dark web release, and the shareholder class action. The Federal Court consumer class action — McClure v Medibank Private Ltd (VID64/2023) — is a separate proceeding brought on behalf of affected individuals, led by Zoe Lee McClure as the lead applicant, seeking compensation for loss and damage caused by the breach. That proceeding has its own page on this platform.
Should I preserve any evidence or records relating to the breach?
If you were affected by the Medibank data breach, it is good practice to retain any communications you received from Medibank about the breach, any evidence of harm you have experienced (such as fraudulent transactions, identity theft incidents, or distress-related expenses), and records of steps you have taken to protect yourself. Retaining this information may be relevant if you participate in any legal proceedings. This is general public information only and does not constitute legal advice.
Does following this matter cost anything or create a legal obligation?
No. Following this matter is completely free. You will not be asked for payment details and you are under no obligation of any kind. Following this matter does not create a solicitor-client relationship and is not a legal retainer. It means you will receive public updates about significant developments in the Medibank proceedings as they occur.