Australia's information commissioner has begun an investigation into Medibank's data-handling practices as the hackers behind the breach dumped the last customer information they stole on the dark web.
The health insurer reported the breach on October 13 and the Russian ransomware group has been releasing customer information in a staged manner since early November.
But the Office of the Australian Information Commissioner confirmed on Thursday it was examining Medibank after preliminary inquiries found enough evidence to press further.
The investigation will look at whether the company did enough to protect personal information, and if it took reasonable steps to comply with Australian privacy guidelines.
"All organisations should review their personal information handling practices to ensure reasonable security safeguards are in place," commissioner Angelene Falk said.
The commissioner can seek civil penalties through the Federal Court of up to $2.2 million for each privacy contravention.
It is the latest setback for the health insurer after the hackers posted the remaining data and wrote "Happy Cyber Security Day!!! Added folder full. Case closed".
A Medibank spokeswoman said the company was aware of the data release and was analysing the information.
"Unfortunately, we expected the criminal to continue to release files on the dark web," the spokeswoman said.
Medibank chief executive David Koczkar said investigations were continuing.
"We are remaining vigilant and are doing everything we can to ensure our customers are supported. It's important everyone stays vigilant to any suspicious activity online or over the phone," he said.
Some 9.7 million current and former customers were affected by the Medibank hack.
In October, the hackers demanded a ransom of $US1 per customer, which Medibank declined to pay.
Government Services Minister Bill Shorten said the hack was shocking.
"The people who've hacked Medibank are absolute criminal lowlife," he told ABC Radio on Thursday.
"If people think that any government ID has been in any way breached or they're aware of it, contact us.
"There's no particular comfort that you can give people, but when it's to do with a government services area, we will red-flag anyone we see whose information has been hacked ... if anyone tries to use that ID."
The latest data breach coincides with law firm Maurice Blackburn launching a compensation claim against over the hack.
The firm has lodged a formal complaint with the information commissioner, which could order Medibank to pay money to affected customers.
Principal lawyer Andrew Watson said the hack had caused significant distress to customers.
"The right to privacy is a fundamental human right, and the representative complaint to the Australian information commissioner offers an avenue of redress to the millions affected by this incident," he said.
"We cannot undo the damage that has been caused in this data breach, but we can ask the commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected."
Federal government agencies as well as Australian Federal Police have been investigating the hack.
Australian Associated Press
Sign up for our newsletter to stay up to date.