A class action has been launched on behalf of customers whose highly sensitive health data was stolen during last year's massive Medibank data breach.
Law firm Slater and Gordon has issued proceedings in the Federal Court seeking compensation for people caught up in the October 2022 breach.
Data from millions of current and former Medibank customers was hacked by a Russian ransomware group that released the information in stages onto the dark web.
The legal action also covers customers of Medibank's subsidiary Australian Health Management (ahm) as well as customers of Medibank's travel insurance products.
Separate legal action was launched by three other law firms in January.
The statement of claim alleges Medibank and ahm breached privacy and consumer laws as well as legislation that governs customer data retention and data protection in Australia.
It argues Medibank and ahm failed to take reasonable steps to protect customers' personal information from unauthorised access or disclosure, failed to destroy or de-identify former customers' information and failed to comply with legal obligations in collecting, using, storing and disclosing customer information.
Slater and Gordon will also allege in court that Medibank had assured its customers that it had "adequate and appropriate security controls in place" to protect their information.
"This breach was one of the most serious breaches in Australian history," Class Actions Practice Group leader Ben Hardwick said.
Mr Hardwick said the class action would seek compensation for the impact the breach had on affected customers, the time they spent applying for new identification and other documents, as well as the stress and frustration caused by the theft of their private, sometimes sensitive, information.
"We're talking about up to 9.7 million Australians who were affected and the nature of the information is what concern is concerning here," Mr Hardwick said.
"Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer," Mr Hardwick said.
He said some information included previous drug and alcohol addictions and HIV diagnoses.
The lead applicant has asked not to be identified to protect his privacy.
He said he had trusted ahm because it was owned by Medibank.
"I feel really exposed and unsettled knowing personal information of mine is out there and there's nothing I can do about it," he said.
Medibank has been contacted for comment.
The class action is just one of many lodged in Australia over recent data breaches.
Slater and Gordon is also leading legal action against Optus over its 2022 data breach in which up to 10 million customers and former customers' personal information was compromised.
Gordon Legal and Hayden Stephens and Associates are jointly investigating the possibility of a class action over the Latitude data hack.