Medibank is now facing a series of class actions over recent data theft. 

Medibank, one of Australia's largest private health insurers, has been hit with its fifth class action in relation to the major data breach it suffered late last year. 

The Federal Court of Australia received the latest class action filed by Slater & Gordon, a leading compensation and class action law firm, on Friday, May 5. 

The lawsuit accuses the health insurer of breaching a number of customer data protection, privacy, and consumer laws, claiming that Medibank failed to protect or take reasonable steps to protect the personal information of its current, former, and prospective customers. 

The law firm listed several allegations on its website, claiming that Medibank breached its contract with Medibank customers, as well as the Australian Privacy Principles under the Privacy Act 1988 (Cth), the Private Health Insurance (Prudential Supervision) Act 2015 (Cth), and the Consolidating Prudential Standard 234 under the Australian Prudential Regulation Authority Standards. 

In addition, Medibank allegedly breached its duty of care to Medibank customers and the Australian Consumer Law.

Medibank has acknowledged the class action, declaring that it will defend against it. 

In an ASX listing on its website, the company stated that “the statement of claim includes allegations of breach of contract, negligence, and contraventions of the Australian Consumer Law. Medibank will defend the proceedings”. 

It also reiterated that it was providing affected customers with support through a Cyber Response Support Program, which includes mental health and wellbeing support, identity protection, and financial hardship measures.

This is the fifth lawsuit against Medibank since the major data breach in October last year, which affected about 9.7 million people, including 5.1 million Medibank customers, 2.8 million customers of its subsidiary ahm, and 1.8 million international customers. 

The breach was one of the worst in Australian history. 

Prior to Slater and Gordon, a joint class action was launched by Maurice Blackburn, Bannister Law Class Actions, and Centennial Lawyers. Maurice Blackburn also launched a solo class action against the health insurer. 

Following this, a second was launched by Quinn Emanuel Urquhart & Sullivan, and a third by Baker McKenzie.

In response to the breach, consulting company Deloitte conducted an external review and provided Medibank with the findings, including a number of recommendations relating to improving the insurer's IT security. 

Medibank has promised to “implement all recommendations not already undertaken, along with other enhancements previously planned”. 

However, the health insurer has not released the findings of the Deloitte review. 

Medibank has also stated that it will continue to review its cyber security governance arrangements, recognising the increasing prevalence of cybercrime and the need to meet the ongoing expectations of its customers.