More Australians have found themselves caught up in Medibank's massive data breach, with ahm revealing potential customers who merely requested a quote have also had their data exposed, as a class action against the private health fund is announced.
Months after the October 2022 Medibank hack which saw the personal information of up to 9.7 million customers leaked on the dark web, Medibank's budget insurance company sub-brand ahm shared an alarming update.
"If you ever requested a quote from us and we took some of your information, you will have been affected by the cyber event," the company said.
For prospective customers who requested a quote from ahm, breached data may include full names, dates of birth, emails – and, where provided to ahm – genders, addresses and phone numbers.
"We understand the distress the cyber event may cause you, and we are here to help," said ahm.
In December, after Medibank refused to pay out a hefty ransom, the hackers behind the attack dumped what was thought to be the remaining stolen data on the dark web in a post declaring 'case closed'.
The attack was widely believed to primarily impact existing customers of ahm and Medibank, however, ahm's data collection practices extend to would-be customers from the moment they request a quote.
In an informational page on its website, ahm says: "We retain information relating to quotes for a period of time as there are prospective customers who do end up coming back to ahm to take up the quote, sometimes months later.
"Rather than customers needing to enter all their information again, their quote remains in the system for a period of time."
The health insurer also addressed concern over credit cards, banking details and ID documents, stating ahm "don't usually" collect primary identity documents for Australian resident customers.
"We don’t believe the criminal has stolen your credit card or banking details, health claims data, or primary identity documents like a driver’s licence," said ahm.
The ABC reported seeing an email sent late last week to a potential ahm customer who had obtained a quote, where ahm informed them their data had been stolen by hackers and posted online.
ahm reportedly apologised in the email, saying it "recognised the distress that this may cause."
Case far from closed
Meanwhile, a collection of leading law firms have "joined forces" to lead a landmark data breach complaint against Medibank.
In what could shape up to be a precedential case, Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers have united in an effort that "could secure compensation payments for as many as 9.7 million affected customers."
A press release from Maurice Blackburn revealed the three firms have already registered "tens of thousands" of Medibank customers as they investigate compensation claims.
This collaborative legal action can be traced back to last November, when Maurice Blackburn lodged a complaint against Medibank with the Office of the Australian Information Commissioner (OAIC).
OAIC has the power to order compensation, which the firms are now pursuing under their joint cooperation agreement for those affected by the data breach.
Bannister Law Class Actions Principal Charles Bannister voiced a desire for swift compensation payments to the millions of Medibank customers whose data was breached.
“We believe the data breach is a betrayal of Medibank Private’s customers and a breach of the Privacy Act," said Bannister.
"Medibank has a duty to keep this kind of information confidential."
Adjunct Professor George Newhouse of Centennial Lawyers said the data breach exposes a "lack of safeguards in place to prevent such personal and private information being released to wrongdoers".
He also said "Medibank and AHM have failed policy holders.”
According to a spokesperson at Maurice Blackburn, customers do not have to register with the law firms in order to benefit from the complaint.
Customers are encouraged, however, to register and stay informed on the complaint via regular updates.
"If you are a current or former Medibank, AHM or international student customer you are eligible
to register to receive regular updates about the complaint and any compensation which may be
sought on your behalf," said Maurice Blackburn.
The firms have also launched an online web page where existing or former Medibank, Medibank OSHC or ahm members can register for the complaint and potential class action.
The health insurer says it will continue to cooperate with the OAIC and its ongoing investigation.
"Medibank continues to support its customers from the impact of this crime through our previously announced Cyber Response Support Program which includes mental health and wellbeing support, identity protection and financial hardship measures," Medibank said.