Medibank could face $21.5 trillion fine over data theft

Medibank could face trillions of dollars in fines after the Australian Information Commissioner launched legal action over a major data breach.

The 2022 cybersecurity incident that affected 9.7 million Medibank and Ahm customers saw hackers steal personal and highly sensitive information and publish it on the Dark Web. 

The Australian Information Commissioner announced on Wednesday it had filed penalty proceedings in the Federal Court following an investigation into the incident, claiming the health insurance giant failed to adequately protect its customers in breach of privacy law. 

A Medibank email update
Nearly 10 million Medibank customers were caught up in the cyber hacking scandal.

The court could impose fines of up to $2.2 million for each contravention of the Privacy Act, creating a maximum possible fine of more than $21.5 trillion. 

In a statement filed to the Australian Stock Exchange, Medibank said it intended to defend the proceedings.

The Office of the Australian Information Commissioner launched an investigation into Medibank's actions in after it was notified of the data theft on October 25, 2022. 

The incident saw criminals access information including customers' names, addresses, Medicare numbers, contact details, some passport numbers, and details of health procedures. 

Some of the information was published on the Dark Web, which acting Australian Information Commission Elizabeth Tydd said left victims vulnerable to further crimes. 

"The release of personal information on the Dark Web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime," she said. 

"We allege Medibank failed to take reasonable steps to protect personal information given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach."

Medibank signage in Brisbane,
Maurice Blackburn has filed a class action lawsuit against the company on behalf of customers.

Any civil penalties issued against Medibank will be decided by the Federal Court.

Several Medibank customers have also lodged complaints with the Australian Information Commissioner, and Maurice Blackburn filed a class action lawsuit against the company. 

Privacy Commission Carly Kind said she hoped the Federal Court case would encourage other businesses to strenuously protect the sensitive data they held.

"This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape," she said. 

"Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe."

The Medibank hack is one of several recent corporate data attacks, including data theft from Optus, Ticketmaster, and financial services firm Latitude. 

Electronic prescription firm MediSecure also revealed criminals had stolen its private data about customers last month, and published the information on the Dark Web. 

In a statement, the company said it was working with the National Cyber Security Coordinator and forensic data experts to "confirm the extend of the data breach and all individuals impacted". 

License this article

What is AAPNews?

For the first time, Australian Associated Press is delivering news straight to the consumer.

No ads. No spin. News straight-up.

Not only do you get to enjoy high-quality news delivered straight to your desktop or device, you do so in the knowledge you are supporting media diversity in Australia.

AAP Is Australia’s only independent newswire service, free from political and commercial influence, producing fact-based public interest journalism across a range of topics including politics, courts, sport, finance and entertainment.

What is AAPNews?
The Morning Wire

Wake up to AAPNews’ morning news bulletin delivered straight to your inbox or mobile device, bringing you up to speed with all that has happened overnight at home and abroad, as well as setting you up what the day has in store.

AAPNews Morning Wire
AAPNews Breaking News
Breaking News

Be the first to know when major breaking news happens.


Notifications will be sent to your device whenever a big story breaks, ensuring you are never in the dark when the talking points happen.

Focused Content

Enjoy the best of AAP’s specialised Topics in Focus. AAP has reporters dedicated to bringing you hard news and feature content across a range of specialised topics including Environment, Agriculture, Future Economies, Arts and Refugee Issues.

AAPNews Focussed Content
Subscription Plans

Choose the plan that best fits your needs. AAPNews offers two basic subscriptions, all billed monthly.

Once you sign up, you will have seven days to test out the service before being billed.

AAPNews Full Access Plan
Full Access
AU$10
  • Enjoy all that AAPNews has to offer
  • Access to breaking news notifications and bulletins
  • Includes access to all AAPNews’ specialised topics
Join Now
AAPNews Student Access Plan
Student Access
AU$5
  • Gain access via a verified student email account
  • Enjoy all the benefits of the ‘Full Access’ plan at a reduced rate
  • Subscription renews each month
Join Now
AAPNews Annual Access Plan
Annual Access
AU$99
  • All the benefits of the 'Full Access' subscription at a discounted rate
  • Subscription automatically renews after 12 months
Join Now

AAPNews also offers enterprise deals for businesses so you can provide an AAPNews account for your team, organisation or customers. Click here to contact AAP to sign-up your business today.

SEVEN DAYS FREE
Download the app
Download AAPNews on the App StoreDownload AAPNews on the Google Play Store