World NewsAustralia NewsDigital Privacy

Court Blocks Medibank’s Attempt to Stop Investigation into Data Hack

The Federal Court has refused to issue an injunction preventing the Information Commissioner from investigating a 2022 data breach at the private insurer.
Save
Court Blocks Medibank’s Attempt to Stop Investigation into Data Hack
Medibank signage sits on top of the Medibank building in Docklands, Melbourne of Australia on Oct. 1, 2014. (Scott Barbour/Getty Images)
2/22/2024
Updated:
2/22/2024
0:00

Medibank has failed in a bid to have the Federal Court issue an injunction preventing the Australian Information Commissioner (AIC) from investigating a data breach that left the personal details of 9.7 million customers exposed.

Details such as names, dates of birth, addresses, and phone numbers of customers were published on the dark web in October 2022, making it the largest cyber ransom attack in Australian history.

The AIC announced its investigation in December.

Medibank Also Facing Class Action

Maurice Blackburn Lawyers lodged a representative complaint on behalf of customers to the AIC in November last year.

In addition, two class actions against Medibank were filed in the Federal Court, but they were consolidated into one proceeding in August 2023.

To try to stop the Commissioner’s investigation, Medibank argued a determination by the AIC could interfere with the administration of justice in the class action.

But Justice Jonathan Beach refused Medibank’s application, ordered it to be dismissed, and ordered the insurer to pay the Commissioner’s costs.

Related Stories
Hackers Attack Australia’s Largest Not-For-Profit Hospital Network
12/22/2023
Hackers Attack Australia’s Largest Not-For-Profit Hospital Network
Australia’s Cybersecurity Chief Confirms ‘Sensitive Government Information’ Stolen by Russian Hackers
7/5/2023
Australia’s Cybersecurity Chief Confirms ‘Sensitive Government Information’ Stolen by Russian Hackers

“Even if there was some substance to Medibank’s points, in my view it would be premature to grant an injunction,” he said in his written judgment.

He noted it was not yet known when the Commissioner would decide regarding the investigations, nor what they would contain.

It was also unclear when the class action would be heard in the Federal Court, and what it would entail.

The case is not due to return to court for a case management hearing until May.

“Generally, there is lacking the immediacy of any risk concerning inconsistent findings,” Justice Beach said.

AIC Welcomes Decision

A spokeswoman for Medibank said the company would continue to defend both the representative complaint, and the consumer class action.

“Medibank continues to cooperate with the AIC in relation to the commissioner’s own investigation into the cybercrime event, which continues unaffected,” she said.

In turn, the AIC welcomed the Court’s decision.

“The AIC ... continues to progress its investigations into Medibank over its data breach and seeks to bring the matters to a conclusion as soon as possible,” a spokesman said.

In January this year, the Australian government named and sanctioned Russian man Aleksandr Ermakov for the Medibank hack.

He was allegedly associated with Russia-backed criminal gang REvil, which claimed they had been in Medibank’s network for a month.

Just this week, the Australian Federal Police (AFP) said it was aware of reports that Mr. Ermakov had been detained in Russia.

AAP contributed to this report