Red card for privilege defence: Medibank's claims of privilege over cybersecurity reports face legal scrutiny

The Federal Court of Australia has recently ruled that Medibank must disclose some of the technical reports related to its 2022 data breach.  

This marks a significant development in the intersection of cybersecurity incident response and legal professional privilege.

Foul play

In October 2022, Medibank experienced a significant data breach compromising the personal information of over 10 million current and former customers.  

Race to investigate

Following the breach, Medibank commissioned external forensic experts to assess the root cause and extent of the incident and advise on bolstering its cybersecurity measures, and further inform Medibank's legal strategy and regulatory compliance.

Class action players warm up

A class action was launched against Medibank, alleging the health insurer breached its continuous disclosure obligations and engaged in misleading or deceptive conduct regarding its privacy and information security protections.

To support the assertions that Medibank failed to adequately protect personal information, the class action sought access to certain technical reports.  Medibank contended those documents were subject to legal professional privilege because the dominant purpose of each was to obtain legal advice, or prepare for legal proceedings.  

The referee's whistle

Where Medibank could successfully establish that, to the extent a technical report or other document is protected by legal privilege, Medibank would not be required to disclose that document in the class action proceedings.

In McClure v Medibank Private Limited [2025] FCA 167, the Court's scorecard result was mixed:

• ✔ (Privileged) Expert reports prepared for advice about mandatory notifications under the Privacy Act, and to respond to an OAIC investigation.
• ✔ (Privileged) Emails to legal advisers about the threat actor which assisted advice on considerations as to legality of making a cyber ransom payment.
• ✘ (Not privileged) Root cause analysis, Post incident review (PIR), and Report on compliance with (APRA Prudential Standard) CPS 234.

In relation to the documents which did not attract privilege, the Court found those reports had been created for several purposes, including but not (as the legal test requires) for the dominant purpose of obtaining legal advice or preparing for litigation.  Instead, their dominant purposes included:

• reassuring stakeholders: Medibank publicly stated that it, not its lawyers, commissioned the review to 'protect and safeguard customers', which indicated a goal of calming market and consumer concerns; and
• avoiding an APRA review: Medibank sought to proactively meet APRA’s expectations to avoid a need for the regulator to launch its own investigation.  This purpose was evidenced by frequent direct engagement between APRA, Medibank, and the external forensic experts (with minimal involvement from Medibank's lawyers),

and this diminished Medibank's claim of privilege.  

The Court added that Medibank’s public statements about the PIR's purposes would have waived privilege (if any) that may have existed over that report.

This decision aligns with the Court's previous decisions on legal privilege claims, such as in the Optus data breach case, where similar reports were also deemed not protected by legal professional privilege due to their multifaceted purposes.  

Stay in the safe zone

The Medibank decision underscores the importance of understanding the nuances of when legal professional privilege can be claimed over reports prepared or communications made in the context of responding to a cyber incident.  

Board members, senior leadership and incident responders must be aware when commissioning forensic investigations about the limits of legal privilege, and ensure that the sole or dominant purpose of such reports is to obtain legal advice or prepare for litigation.  If reports serve additional purposes, including operational or regulatory objectives, those purposes must be secondary to the legal advice or assistance purpose if they are to retain a privilege claim.

Key learnings for cybercrime victims and incident responders:

• To attract privilege and survive an opponent's challenge to that claim, the provision of legal advice or assistance must be the sole or dominant purpose for preparing a report. A report may serve additional purposes, provided those are not dominant.
• A report may be privileged, yet non-privileged information which underpins the report (but is not in the report itself) may remain discoverable.
• Even if technical findings may be non-privileged, they can contribute to subsequent reports or advice which do attract and retain privilege.
• Assume privilege will not blanket all aspects of incident response.  A good IR approach and plan - and public statements made by the organisation's board and senior leaders - should anticipate which aspects of reports, documents or correspondence is more or less likely to hold privilege.

Be an MVP

This is a further decision among a series which serves as a cautionary tale for organisations navigating the complex landscape of cyber incident response and legal professional privilege over technical reports or advice.  

An appeal is pending so the Court's red card decision in this class action claim against Medibank may be overturned, whether in part or full.  Yet by proactively understanding and managing the purposes of forensic reports and requirements for a successful privilege claim, organisations can better protect their legal interests for responding to a cyber incident.

To make it into the finals rounds on your privilege claims in cyber incident response, practice the game plan above and contact the expert coaches in our Privacy team  for assistance.

Authors

Steven Hunwicks | Partner | +61 7 3338 7567 | shunwicks@tglaw.com.au

Hannah Fas | Senior Associate | +61 7 3338 7507 | hfas@tglaw.com.au

‍