Medibank says it’s planning to defend itself against civil penalty proceedings initiated by the Australian Information Commissioner following its massive data breach in October 2022 that saw the personal details of nearly 10m Australians exposed on the dark web.

Under its new proceedings, the Commissioner alleges Medibank interfered with the privacy of 9.7 million Australians from March 2021 to October 2022 by failing to protect their personal information. The decision to launch legal action comes after an investigation led by Australian Information Commissioner, Angelene Falk, following a cyber attack on Medibank.

The personal information of millions of Medibank current and former customers was dumped by hackers on the dark web. Medibank’s business involves collecting and holding customers’ personal and sensitive health information. In the financial year ending June 2022, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million.

Acting Australian Information Commissioner, Elizabeth Tydd, stated, “The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and material risk of identity theft, extortion and financial crime.”

Tydd further alleged Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.

The Office of the Australian Information Commissioner (OAIC) commenced an investigation into Medibank’s privacy practices following a data breach of Medibank and its subsidiary ahm that was notified to the office on 25 October 2022. The investigation focused on whether Medibank’s acts or practices were an interference with privacy or a breach of Australian Privacy Principle (APP) 11.1.

Under APP 11.1, Medibank is required to protect the information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure. The Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G of the Privacy Act.

Privacy Commissioner Carly Kind emphasised the responsibility of organisations to ensure data safety and security, particularly when handling sensitive data. She warned, “This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

In response to the proceedings, Medibank released an ASX statement saying it planned to defend itself in the proceedings.

“Medibank advises that the Australian Information Commissioner has today commenced civil penalty proceedings against Medibank in the Federal Court of Australia in connection with the 2022 cybercrime event. The proceedings relate to the Commissioner’s own investigation into the 2022 cybercrime event,” the statement read. “The Commissioner alleges that Medibank breached Australian Privacy Principle 11.1. Medibank intends to defend the proceedings.”