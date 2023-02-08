Health insurer Medibank has vowed to defend a class action over its massive data breach.

The agency filed in the Federal Court on Tuesday, as the fallout from a spate of ransomware hits, which was tacitly attributed by the government to the Russia-based REvil extortion-as-a-service gang.

The class action ups the stakes on the government to get tough on lax corporate cyber-security standards and implement reforms to address chronic personal-data hoarding by organisations under the guise of know-your-customer compliance obligations.

“The statement of claim includes allegations of breach of contract, contraventions of the Australian Consumer Law, and breach of equitable obligations of confidence,” Medibank said in a statement.

“Medibank will defend the proceedings.”

The class action is being run by tech-savvy law firm Baker & McKenzie and is being financially backed by litigation funder Omni Bridgeway.

Minister for home affairs Clare O’Neil has previously branded the Medibank hackers “scumbags” and “Russian thugs” after the cyber intruders started to leak highly confidential and sensitive medical and health details including treatments from mental health issues and addiction.

Since then the government has set up a new unit drawing in the Australian Federal Police and Australian Signals Directorate to run a joint standing operation to investigate, target and disrupt cyber-criminal syndicates.

Australia is also currently leading a ‘Disruption Working Group’ as part of the ‘International Counter Ransomware Initiative’, a multilateral cyber pest control aimed at curbing attacks and hacks.

A firming view in some cyber and intelligence circles is that mass harvesting of personal information is being undertaken because fraudsters and scammers are shifting their modus operandi from technical thefts — such as online credit card fraud — to straight payment request cons, where consumers or businesses are duped into authorising a payment to crooks.

Britain in particular has seen a huge surge in payment cons after it sent Authorised Push Payments live, with consumers wearing the bulk of the losses rather than merchants or banks. Personal information helps customise those cons to make them more believable.

In Australia, as the litigation storm clouds grow, Medibank is seeking to reassure customers it is there to support them.

“Medibank continues to support its customers from the impact of the cybercrime through our previously announced Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures,” the insurer said.

