The Australian Information Commissioner has launched legal action against Medibank Private in relation to a catastrophic October 2022 cyber attack.

Civil penalty proceedings have been filed in the Federal Court, the Office of the Australian Information Commissioner (OAIC) said on Wednesday.

The Australian Information Commissioner alleges that Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access.

The Commissioner can apply to the Federal Court for a civil penalty order where an entity is alleged to have engaged in serious or repeated interferences with privacy in contravention of the Privacy Act.

For these proceedings, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention.

The proceedings follow an OIAC investigation into the breach, which saw the personal information of millions of current and former customers accessed and released on the dark web.

Acting Australian Information Commissioner Elizabeth Tydd says the hack and the release of information on the dark web exposed many people to the likelihood of serious harm, including the risk of identity theft, extortion and financial crime, and emotional distress.

We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.

Acting Australian Information Commissioner Elizabeth Tydd

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” Commissioner Tydd said.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

Privacy Commissioner Carly Kind said organisations that collect, use and store personal information have a considerable responsibility to ensure that data, and especially sensitive data, is held safely and securely.

“This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” she said.

“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

The OAIC says it has also received related multiple individual complaints and a representative complaint brought by law firm Maurice Blackburn on behalf of a group of people affected by the breach.

Medibank also faces a separate class action in the Federal  Court.