The government has brought civil action against Medibank Private for failing to take “reasonable steps” to protect the privacy of almost 10 million customers when it was hacked in 2022.

The private health insurer says it intends to defend the action, which can bring a penalty of up to $2.22 million for each contravention of section 13G of the Privacy Act.

“This case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape,” privacy commissioner Carly Kind said.

The Office of the Australian Information Commissioner alleges that from March 2021 until the October 2022 cyberattack, Medibank “seriously interfered” with the privacy of 9.7 million Australians. It failed to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure, putting it in breach of the Privacy Act, the office says.

Acting information commissioner Elizabeth Tydd says the release of personal information on the dark web exposed many Australians to the likelihood of serious harm, including potential emotional distress and the “material risk” of identity theft, extortion and financial crime.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” she said, noting the insurer’s revenue topped $7 billion in fiscal 2022 and it made $560 million profit.

“Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

The health insurer’s practices were investigated by information commissioner Angelene Falk after hackers accessed the personal information of millions of current and former customers and released it on the dark web.

Australian privacy laws require businesses to take reasonable steps to protect customer information from misuse, interference and loss, and unauthorised access, modification or disclosure. The insurer is also the subject of a Baker McKenzie class action.

Medibank said in August it expected costs related to the cyberattack to be $30-$35 million this year, covering IT security, legal and other work related to regulatory investigations, not including litigation findings.