The Office of the Australian Information Commissioner said Medibank could be fined up to $2.2m per breach if its investigation, launched on Thursday, finds the private health insurer did not take reasonable steps to protect customer data.

At least 9.7 million Australians have been caught up in the breach, with the hackers releasing the personal information of Medibank customers, including medical histories detailing drug addiction and mental health diagnoses.

Home Affairs Minister Clare O’Neil said the government “stands with the victims of this cyber incident”.

“The release of such sensitive and personal data is morally reprehensible,” Ms O’Neil said.

“We anticipated the release of this data, which is why we activated the National Coordination Mechanism (NCM) to ensure that all possible support is being provided to Medibank and those affected by this incident. The NCM has met today to respond to this latest development.”

The hacking group, known as REvil, published the single biggest folder of stolen data on the dark web overnight. “Added folder full. Case closed,” the group said.

It has previously drip-fed the release of customer health records to cause Medibank maximum harm in a series of folders with labels relating to pregnancy terminations, drug and alcohol abuse and various mental health conditions.

Given the size of the latest file, 6.5 gigabytes, Medibank said it continued to work through the data to confirm it was the information stolen from its systems. The data of almost 10 million customers was exposed during the cyber assault.

Early indications are that it is, although the hackers have not matched some of the information with the names of customers as they had in previous instances.

Mr Koczkar said the data appeared to be the customer information it believed the hackers stole but said it was “incomplete and hard to understand”.

Crucially, in what may come as a relief to millions of Medibank customers, he said the data was not sufficient to enable fraud.

“While there are media reports of this being a signal of ‘case closed’, our work is not over,” Mr Koczkar said.

“While our investigation continues, there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identify and financial fraud.”

As the hackers were dumping the entire cache of stolen data, Melbourne-based law firm Maurice Blackburn launched a compensation claim for the almost 10 million Medibank customers who had their information exposed during the attack.

Under the Privacy Act, companies that do not take reasonable steps to protect the personal information of clients face penalties including fines, and consumers may also be compensated for privacy breaches.

The OAIC’s announced on Thursday its own investigation, saying it would determine whether Medibank’s “handling practices” led to a hacker obtaining the data.

“If the OAIC’s investigation satisfies the commissioner that an interference with the privacy of individuals has occurred, the commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage,” a statement read.

“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.”

It came after Maurice Blackburn said it had lodged a representative complaint with the Office of the Australian Information Commissioner (OAIC) against Medibank, alleging the health insurer failed to safeguard its customers’ data.

Maurice Blackburn principal lawyer Andrew Watson said the OAIC offered “an avenue of redress to the millions affected by this incident”.

“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress. The right to privacy is a fundamental human right,” Mr Watson said.

“We cannot undo the damage that has been caused in this data breach, but we can ask the (OAIC) commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.”

This week the Australian Parliament increased the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of $50 million - three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period.

Mr Koczkar said the health insurer was supporting its customers, including by offering “financial hardship measures”.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.

“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.”

The Australian Prudential Regulation Authority on Monday said it had “intensified its supervision of Medibank” and could force the health insurer to rein in millions of dollars in executive bonuses following the cyber assault.

Last month, Medibank chairman Mike Wilkins said executives – including Mr Koczkar – would keep this year’s bonuses, totalling more than $7.5m. He said the board would not consider adjusting remuneration until next year after it completed an external review of the attack.

The hackers had demanded $15m in ransom for the stolen data, initially asking the country’s largest health insurer for $US10 ($14.73) per impacted customer before “discounting” the demand to $US1 per person impacted.

More Coverage

Medibank bosses could face pay cuts

Hugo Timms

‘Absolute grubs’: Chalmers unleashes on Medibank hacker after fifth leak

Tyrone Clarke

Originally published as ‘Case closed’: Medibank hackers dump entire data file