Medibank says it will continue to defend two consumer claims over its 2022 cyber attack, despite failing in its bid to stop an Australian Information Commissioner investigation.
The private health insurer lodged an application in the Federal Court, seeking to restrain the commissioner from investigating and making a determination on a representative complaint it received over the data breach.
It also wanted to stop the AIC from carrying out its own separate investigation into the cyber attack.
Medibank argued a determination from either of the investigations could interfere with the administration of justice in a separate class action, in which customers who had their personal information accessed are seeking compensation.
But Justice Jonathan Beach on Thursday refused Medibank's application against the Australian Information Commissioner and ordered it to be dismissed.
"Even if there was some substance to Medibank's points, in my view it would be premature to grant an injunction," he said in his written judgment.
Justice Beach noted there was still uncertainty as to when the commissioner would make a determination in relation to the two investigations and what it would contain.
It was also unclear when the class action would run in the Federal Court and what it would entail.
"Generally, there is lacking the immediacy of any risk concerning inconsistent findings," Justice Beach said.
He ordered Medibank pay the costs of the commissioner in relation to the originating application.
A Medibank spokeswoman said the private health company would continue to defend both the representative complaint and the consumer class action.
"Medibank continues to co-operate with the AIC in relation to the commissioner's own investigation into the cybercrime event, which continues unaffected," the statement to AAP read.
The commissioner welcomed the Federal Court's decision.
"The AIC... continues to progress its investigations into Medibank over its data breach and seeks to bring the matters to a conclusion as soon as possible," a spokesman told AAP.
At least 9.7 million Medibank customers had information including names, dates of birth, addresses and phone numbers compromised in October 2022, some of which was published on the dark web.
Russian man Aleksandr Ermakov was sanctioned by the federal government in January for his role in the cyber attack.
The mass data breach prompted Maurice Blackburn Lawyers to lodge the representative complaint on behalf of their client to the Australian Information Commissioner on November 18, 2022.
The AIC also announced its own separate investigation on December 1, 2022.
Two class actions were filed against Medibank in the Federal Court but they were consolidated into one proceeding in August 2023.
The class action is due to return to court for a case management hearing in May.