The Office of the Australian Information Commissioner (OAIC) has opened an investigation into the way Medibank handles its personal information after a catastrophic data breach.

The private health insurer announced on October 13 that it had ‘detected unusual activity’ on its network and said a week later that personal data appeared to have been stolen.

Medibank has since confirmed it believes almost 10 million current and former customers were affected by the cyber attack.

In an update on December 1 Medibank said six zipped files of stolen customer data had been released on the dark web, and it expected the release of files to continue.

Medibank is continuing to investigate, Medibank CEO David Koczar says.

‘Reasonable’ privacy steps

The OAIC investigation will focus on whether Medibank took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.

It will also consider whether Medibank had in place practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).

Following the investigation Australian Information Commissioner and Privacy Commissioner Angelene Falk will have the power to order Medibank to take steps to redress any loss or damage and ensure the incident isn’t repeated.

 If the investigation finds serious or repeated interferences with privacy she will be able to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Feds investigate

Investigators in the AFP’s Cyber Command are also working with public and private sector agencies to identify anyone responsible for buying or selling personal identification information.

The Medibank breach followed the theft of personal data held by Optus relating to more than two  million customers.