Medibank could face trillions of dollars in fines after the Australian Information Commissioner launched legal action over a major data breach.

The 2022 cybersecurity incident that affected 9.7 million Medibank and Ahm customers saw hackers steal personal and highly sensitive information and publish it on the Dark Web.

The Australian Information Commissioner announced on Wednesday it had filed penalty proceedings in the Federal Court following an investigation into the incident, claiming the health insurance giant failed to adequately protect its customers in breach of privacy law.

The court could impose fines of up to $2.2 million for each contravention of the Privacy Act, creating a maximum possible fine of more than $21.5 trillion.

In a statement filed to the Australian Stock Exchange, Medibank said it intended to defend the proceedings.

The Office of the Australian Information Commissioner launched an investigation into Medibank’s actions in after it was notified of the data theft on October 25, 2022.

The incident saw criminals access information including customers’ names, addresses, Medicare numbers, contact details, some passport numbers, and details of health procedures.

Some of the information was published on the Dark Web, which acting Australian Information Commission Elizabeth Tydd said left victims vulnerable to further crimes.

“The release of personal information on the Dark Web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” she said.

“We allege Medibank failed to take reasonable steps to protect personal information given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”

Any civil penalties issued against Medibank will be decided by the Federal Court.

Several Medibank customers have also lodged complaints with the Australian Information Commissioner, and Maurice Blackburn filed a class action lawsuit against the company.

Privacy Commission Carly Kind said she hoped the Federal Court case would encourage other businesses to strenuously protect the sensitive data they held.

“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” she said.

“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

The Medibank hack is one of several recent corporate data attacks, including data theft from Optus, Ticketmaster, and financial services firm Latitude.

Electronic prescription firm MediSecure also revealed criminals had stolen its private data about customers last month, and published the information on the Dark Web.

In a statement, the company said it was working with the National Cyber Security Coordinator and forensic data experts to “confirm the extend of the data breach and all individuals impacted”.

Jennifer Dudley-Nicholson
(Australian Associated Press)