Medibank Data Breach
Follow the OAIC complaint concerning Medibank's 2022 data breach.
No cost · No obligation · Updates only
Key facts
About this matter
Medibank is facing a consumer class action in the Federal Court of Australia arising from its major October 2022 cyber incident. The breach affected approximately 9.7 million current and former Medibank, ahm and international student customers, making it one of Australia's largest health data breaches. The information involved included personal information and sensitive health-related information, including names, dates of birth, addresses, phone numbers, email addresses, some Medicare card numbers, some passport numbers and health claims information. Some stolen information was later released on the dark web.
The consumer class action focuses on whether Medibank failed to take reasonable steps to protect customer information and whether affected customers may be entitled to compensation. Slater and Gordon states that it reached an agreement with Baker McKenzie to consolidate their respective class actions against Medibank into a single proceeding. According to Slater and Gordon, the Federal Court approved that consolidation on 1 August 2023, with Baker McKenzie taking responsibility for the consolidated proceeding.
A significant recent development concerns Medibank's attempt to resist production of three Deloitte reports prepared after the cyber incident. In March 2026, reports stated that Medibank was refused leave to appeal a ruling about the Deloitte reports, with the court ordering production of the reports to the applicants in the ongoing consumer class action under a confidentiality regime. Legal commentary has described this as an important privilege issue in cyber incident litigation, particularly where post-incident reports may have operational, regulatory or public relations purposes as well as legal purposes.
Affected Medibank, ahm and international student customers should preserve documents that may help show impact or loss. This includes breach notification emails, Medibank correspondence, scam messages, call logs, screenshots, identity document replacement costs, credit checks, bank or Medicare correspondence, time spent responding to the breach, and any evidence of distress, humiliation, fraud, identity misuse, extortion attempts or financial loss. Because the Medibank incident involved health information, evidence of embarrassment, family safety concerns or harm caused by exposure of sensitive medical information may also be relevant.
News & Updates
Frequently Asked Questions
10 questions answered
What happened in the Medibank data breach?
In October 2022, Medibank Private confirmed that a criminal threat actor had gained unauthorised access to its systems and extracted data belonging to approximately 9.7 million current and former customers, including ahm and international student policyholders. The stolen data included names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, and — for many customers — sensitive health claims information including diagnosis codes and procedure details. Medibank refused to pay the ransom demanded. The threat actor subsequently released the stolen data on the dark web in multiple tranches.
Who was affected by the breach?
Approximately 9.7 million current and former Medibank Private, ahm, and international student customers were affected. Health claims data — which is among the most sensitive personal information that exists — was accessed for a significant subset of those customers. The breach is one of the largest health data breaches in Australian history.
Was the stolen data actually released publicly?
Yes. After Medibank refused to pay the ransom, the threat actor released the stolen data on the dark web in multiple tranches beginning in November 2022. This included files labelled "good-list" and "naughty-list" containing sensitive health information. The release on the dark web is a separate and serious harm to affected customers — it exposed them to risks of identity theft, fraud, and reputational damage.
What is the OAIC complaint about?
The Office of the Australian Information Commissioner (OAIC) investigated the breach and filed a civil penalty complaint against Medibank Private in the Federal Court of Australia. The OAIC alleges that Medibank failed to take reasonable steps to protect the personal information it held, in breach of the Australian Privacy Act 1988. This is a regulatory proceeding brought by the Commissioner — it is separate from the consumer class action proceeding (McClure v Medibank Private Ltd, VID64/2023).
What are the OAIC civil penalty proceedings?
The OAIC commenced civil penalty proceedings in the Federal Court of Australia against Medibank Private, alleging serious and repeated interferences with privacy under the Privacy Act 1988. Civil penalty proceedings can result in substantial financial penalties if the court finds Medibank failed to meet its legal obligations to protect customer data. These proceedings are ongoing — this page will publish significant court steps and public outcomes as they occur.
What was the Deloitte report and what happened in the Full Federal Court?
Medibank commissioned a cybersecurity review by Deloitte following the breach. Litigation over access to the Deloitte report has been a significant procedural issue in the civil penalty proceedings — specifically, whether the report is protected from disclosure. The Full Federal Court has been involved in determining questions related to use of the Deloitte report as evidence. The outcome of that interlocutory dispute affects what information is available to the OAIC and the court in assessing Medibank's conduct before and after the breach.
Is there a shareholder class action against Medibank?
Yes. A separate shareholder class action has been filed against Medibank Private. The shareholder class action relates to alleged misleading or deceptive conduct and breaches of continuous disclosure obligations — specifically, whether Medibank adequately disclosed its cybersecurity risks to shareholders before and after the breach became public. This is a distinct proceeding from both the OAIC civil penalty case and the Federal Court consumer class action.
How does this matter differ from the Federal Court class action (McClure v Medibank)?
There are multiple overlapping but distinct proceedings arising from the Medibank breach. This matter covers the broader breach ecosystem — the OAIC complaint, the civil penalty proceedings, the dark web release, and the shareholder class action. The Federal Court consumer class action — McClure v Medibank Private Ltd (VID64/2023) — is a separate proceeding brought on behalf of affected individuals, led by Zoe Lee McClure as the lead applicant, seeking compensation for loss and damage caused by the breach. That proceeding has its own page on this platform.
Should I preserve any evidence or records relating to the breach?
If you were affected by the Medibank data breach, it is good practice to retain any communications you received from Medibank about the breach, any evidence of harm you have experienced (such as fraudulent transactions, identity theft incidents, or distress-related expenses), and records of steps you have taken to protect yourself. Retaining this information may be relevant if you participate in any legal proceedings. This is general public information only and does not constitute legal advice.
Does following this matter cost anything or create a legal obligation?
No. Following this matter is completely free. You will not be asked for payment details and you are under no obligation of any kind. Following this matter does not create a solicitor-client relationship and is not a legal retainer. It means you will receive public updates about significant developments in the Medibank proceedings as they occur.