As at 2 July 2024 our online forms will be changing.  The current forms will no longer be available and we kindly request any saved forms to be submitted by the same date.  The replacement forms will be available by 3 July 2024

Published date: 3 June 2024

1. What is this notice about?

1.1. On 30 March 2023, the Australian Information Commissioner accepted a representative complaint against Medibank Private Limited (Medibank).

1.2. The representative complaint was lodged by Maurice Blackburn Lawyers (on behalf of the representative complainant) against Medibank under section 36 of the Privacy Act 1988 (Cth) (Privacy Act). The representative complainant alleges that Medibank has interfered with the privacy of individuals pursuant to s 13(1)(a) of the Privacy Act by breaching Australian Privacy Principle (APP) 11.

1.3. The representative complaint relates to the Medibank data breach that occurred in October 2022 (the Data Breach). The Data Breach involved the unauthorised access by a third party of the customer records containing the personal and sensitive information of current, former and prospective Medibank customers (including ahm Health Insurance and international customers, and authorised representatives). Some of this personal information has been released on the dark web.

1.4. Medibank has advised that it has written to affected individuals advising them of what personal information of theirs was impacted and what support and advice is available. More information about the Data Breach can be found at Cyber Response Support Program (medibank.com.au)

1.5. Please note the representative complaint is a separate process to the class action in the Federal Court of Australia against Medibank (Zoe Lee McClure v Medibank Private Limited). More details on the class action are available at Medibank Class Action - Omni Bridgeway.

1.6. This notice has been published for the information of individuals who might be class members.

2. What is a representative complaint?

2.1. A representative complaint is a complaint brought by an individual, a complainant, on behalf of a group of people (class members) against an entity covered by the Privacy Act, where the complainant and the class members have similar complaints against the same respondent entity whose acts or practices may be an interference with the privacy of those individuals (see Chapter 1: Privacy complaint handling process).

3. Am I a class member?

3.1. You are a class member if your personal information was exposed as a consequence of the Data Breach. If you are unsure whether you are a class member, you should contact Maurice Blackburn.

4. What does it mean if I remain a class member?

4.1. The representative complainant does not need to seek the consent of class members to lodge a representative complaint.

4.2. If a representative complaint is investigated by the Australian Information Commissioner, and the Commissioner finds the complaint against Medibank substantiated, she may make a determination that includes a declaration that class members are entitled to an amount of money in respect of any loss or damage (including injury to a person’s feelings or humiliation) suffered by reason of Medibank’s acts or practices, the subject of the representative complaint.

4.3. If you choose to remain a class member, any determination made by the Australian Information Commissioner, including any declaration that class members are entitled to compensation, will apply to you.

4.4. If you are a class member of a representative complaint you are not entitled to lodge a complaint in your own capacity about the matter which is the subject of the representative complaint (unless you have already lodged an individual privacy complaint – see below).

4.5. If you want to remain a class member you do not need to do anything at the present time. The representative complainant, represented by Maurice Blackburn Lawyers, will continue to bring the representative complaint on your behalf, and your complaint will be dealt with as part of the representative complaint process. However, you are invited to contact Maurice Blackburn Lawyers and register as a class member so that further information about the representative complaint can be sent to your preferred address (see Medibank Data Breach 2022 Investigation).

4.6.Class members can stop being class members by withdrawing from the representative complaint process. If you do not want to remain a class member you can withdraw from the representative complaint process at any time by following the instructions below under “Representative complaint – how to withdraw”.

5. How can I withdraw from the representative complaint?

5.1. If you qualify as a class member and wish to withdraw from the representative complaint, you must do so by following the instructions below under “Representative complaint – how to withdraw”.

5.2. Each individual seeking to withdraw from the representative complaint should withdraw separately. For class members who are children, the withdrawal should be submitted by a parent or guardian.

5.3. Please note that if you withdraw, any determination made by the Australian Information Commissioner, including any declaration that class members are entitled to compensation, will not apply to you.

6. What do I need to do if I have already lodged an individual privacy complaint?

If you no longer wish to proceed with your individual privacy complaint in light of the representative complaint

6.1. Please notify the OAIC officer managing your individual privacy complaint that you wish to withdraw your individual privacy complaint.

6.2. If you do not withdraw your individual privacy complaint, the Australian Information Commissioner or her delegate may decide not to investigate your complaint (or investigate it further) under s 41(1) of the Privacy Act), in light of the representative complaint.

If you no longer wish to remain a class member of the representative complaint and instead wish to proceed with your individual privacy complaint

6.3. You cannot make an individual complaint if you are already a class member of the representative complaint. If you want to pursue an individual complaint that has already been made you must withdraw from the representative complaint by following the instructions below under “Representative complaint – how to withdraw” and/or notifying the OAIC officer managing your individual privacy complaint that you have withdrawn from the representative complaint and wish to proceed with your individual privacy complaint.

7. What if I want to lodge an individual privacy complaint?

7.1. If you wish to lodge an individual privacy complaint against Medibank about the Data Breach (see Lodge a privacy complaint with us), you must first withdraw from the representative complaint. You must do so by following the instructions below under “Representative complaint – how to withdraw”.

8. Collection, use and disclosure of your personal information by the OAIC

8.1. We will handle your personal information in accordance with the Australian Privacy Principles.

8.2. We will collect your personal information for the purposes of removing you as a class member of the representative complaint, such as your name and contact information.

8.3. We may also collect personal information about you, which is relevant to the representative complaint, indirectly from Medibank and other third parties relevant to the representative complaint process.

8.4. We will use the information you provide us for the purposes of removing you as a class member of the representative complaint. This may include review of your personal information by contractors engaged to assist us with this matter.

9. Further information

9.1. For further information about how we handle your personal information please see our privacy policy.

9.2. If you have any questions about the personal information we collect and how we will handle your information, please contact the OAIC via the methods set out here: Contact us. Please note that you will not be able to withdraw from the representative complaint using our online enquiry form or over the phone.

9.3. If you have any questions about the representative complaint, we encourage you to look at the ‘Resources’ and ‘Frequently asked questions’ on Maurice Blackburn Lawyers’ website (see Medibank Data Breach 2022 Investigation ).

Medibank representative complaint - how to withdraw

Please provide the below information to the OAIC via email to representativecomplaints@oaic.gov.au

Name of class member:

Email address:

Individual complaint reference number (starting with CP) if applicable:

The class member named above gives notice that they withdraw from the Medibank representative complaint.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia