Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: OAIC files proceedings against Medibank over data breach

On June 5, 2024, the Office of the Australian Information Commissioner (OAIC) announced that it had filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to a data breach at the company in 2022.

Background to the decision

The OAIC explained that it initiated an investigation after Medibank, a health insurance services provider, was the subject of a cyber-attack in which the personal information of current and former customers was accessed by threat actors and subsequently released on the dark web.

Findings of the OAIC

The OAIC determined that from March 2021 to October 2022, Medibank interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorized access or disclosure in breach of the Privacy Act 1988 (No. 119, 1988) (as amended) (the Privacy Act).


The OAIC specified that it may seek civil penalties through the Federal Court of up to AUD 2.2 million (approx. $1.46 million) for each of Medibank's contraventions of the Privacy Act. However, the OAIC explained that whether a civil penalty order is made, and the amount are matters before the court.

You can read the press release here.