The Federal Court of Australia has recently ruled that Medibank must disclose some of the technical reports related to its 2022 data breach.
This marks a significant development in the intersection of cybersecurity incident response and legal professional privilege.
Foul play
In October 2022, Medibank experienced a significant data breach compromising the personal information of over 10 million current and former customers.
Race to investigate
Following the breach, Medibank commissioned external forensic experts to assess the root cause and extent of the incident and advise on bolstering its cybersecurity measures, and further inform Medibank's legal strategy and regulatory compliance.
Class action players warm up
A class action was launched against Medibank, alleging the health insurer breached its continuous disclosure obligations and engaged in misleading or deceptive conduct regarding its privacy and information security protections.
To support the assertions that Medibank failed to adequately protect personal information, the class action sought access to certain technical reports. Medibank contended those documents were subject to legal professional privilege because the dominant purpose of each was to obtain legal advice, or prepare for legal proceedings.
The referee's whistle
Where Medibank could successfully establish that, to the extent a technical report or other document is protected by legal privilege, Medibank would not be required to disclose that document in the class action proceedings.
In McClure v Medibank Private Limited [2025] FCA 167, the Court's scorecard result was mixed:
In relation to the documents which did not attract privilege, the Court found those reports had been created for several purposes, including but not (as the legal test requires) for the dominant purpose of obtaining legal advice or preparing for litigation. Instead, their dominant purposes included:
and this diminished Medibank's claim of privilege.
The Court added that Medibank’s public statements about the PIR's purposes would have waived privilege (if any) that may have existed over that report.
This decision aligns with the Court's previous decisions on legal privilege claims, such as in the Optus data breach case, where similar reports were also deemed not protected by legal professional privilege due to their multifaceted purposes.
Stay in the safe zone
The Medibank decision underscores the importance of understanding the nuances of when legal professional privilege can be claimed over reports prepared or communications made in the context of responding to a cyber incident.
Board members, senior leadership and incident responders must be aware when commissioning forensic investigations about the limits of legal privilege, and ensure that the sole or dominant purpose of such reports is to obtain legal advice or prepare for litigation. If reports serve additional purposes, including operational or regulatory objectives, those purposes must be secondary to the legal advice or assistance purpose if they are to retain a privilege claim.
Key learnings for cybercrime victims and incident responders:
Be an MVP
This is a further decision among a series which serves as a cautionary tale for organisations navigating the complex landscape of cyber incident response and legal professional privilege over technical reports or advice.
An appeal is pending so the Court's red card decision in this class action claim against Medibank may be overturned, whether in part or full. Yet by proactively understanding and managing the purposes of forensic reports and requirements for a successful privilege claim, organisations can better protect their legal interests for responding to a cyber incident.
To make it into the finals rounds on your privilege claims in cyber incident response, practice the game plan above and contact the expert coaches in our Privacy team for assistance.
Authors
Steven Hunwicks | Partner | +61 7 3338 7567 | shunwicks@tglaw.com.au
Hannah Fas | Senior Associate | +61 7 3338 7507 | hfas@tglaw.com.au