Medibank was notified on Tuesday that law firm Maurice Blackburn had lodged a complaint with the Office of the Australian Information Commission (OAIC).
However, a Medibank spokeswoman said the company had not yet been contacted by the commissioner in relation to the complaint.
"The complaint includes allegations that Medibank has breached the Australian Privacy Principles and seeks compensation for individuals whose personal information was exposed as a consequence of the cybercrime," the spokeswoman said.
"Medibank will continue to co-operate with the OAIC and its ongoing investigation."
Data from millions of current and former Medibank customers was hacked in October, with the Russian ransomware group behind the data breach releasing the information in stages onto the dark web.
The commissioner confirmed earlier in December it would be examining Medibank after having enough evidence to press further.
The investigation will centre on whether the health insurer did enough to protect personal information and if the company took reasonable steps to comply with privacy guidelines.
The commissioner can seek civil penalties through the Federal Court of up to $2.2 million for each privacy contravention.
The Medibank spokeswoman said the insurer was continuing to work with customers affected by the data breach, including mental health and wellbeing support measures.
20°C