Medibank is seeking to shield from a shareholder class action an “irrelevant” post-incident report by Deloitte into its massive October 2022 data breach.
Medibank has denied breaching privacy rules in response to the regulator’s case over a 2022 cyber attack, but has admitted sensitive data was hacked in part because its network lacked multi-factor authentication.
Medibank failed to put in place baseline security measures, including multi-factor authentication, to safeguard sensitive information from a hacker in 2022, who stole an IT contractor’s credentials and logged in to the health insurer’s private network three months before the company learned its data was compromised, the OAIC says.
A class action has argued Medibank cannot claim legal professional privilege over three Deloitte reports after disclosing them to reassure the market and customers after a massive 2022 data breach.
The chair of the Medibank board has given evidence that he engaged King & Wood Mallesons to commission expert reviews in the wake of a cyberattack, including three reports by Deloitte, after hearing rumours of class action investigations in October 2022.
More companies may find themselves in the position of Medibank — which recently failed to stay representative proceedings before the privacy regulator while a related class action is on foot — so long as the laws remain unchanged, and law firms are willing to gamble on privacy class actions.
A judge has dismissed a bid by Medibank to restrain the Office of Australian Information Commissioner from proceeding with a class action-style complaint on behalf of millions of the private health insurer’s customers affected by an October 2022 data breach.
The federal government has used its cyber sanction powers for the first time against a Russian individual identified as responsible for an attack against private health insurer Medibank that exposed almost 10 million customer records.
A judge has cautioned two law firms running competing shareholder class actions over last October’s cyber attack on Medibank that they must keep their focus on the best interests of clients and group members, saying lawyers can lose sight of that duty when arguing for their case.
Medibank is now facing five class actions over last October’s cyber attack that left exposed the personal data of 9.7 million customers, this one by shareholders of the private health insurer.