Hand em' over! Lessons from Medibank on maintaining legal professional privilege in the age of cybercrime

In the era of rampant cybercrime, Justice Rofe's recently published decision in McClure v Medibank Private Limited [2025] FCA 167 provides useful guidance for clients concerned with minimising their legal exposure following widespread data breaches and maintaining legal professional privilege.

Overview of the Medibank decision

In or around October 2022, Medibank fell victim to a "deliberate and malicious" ransomware attack that resulted in the exfiltration and release of 9.7 million Australian medical records. Not long after, Medibank faced a consumer class action suit alleging it had failed to take proper precautions to protect customer information and breached the Australian Privacy Principles. The matter giving rise to Justice Rofe's decision concerned whether a suite of third party engagements, communications and technical reports, including three reports authored by Deloitte (together, the Deloitte Reports), were subject to legal professional privilege.

In a decision handed down in March (only made public on 4 April 2025), Justice Rofe held that Medibank was unable to claim privilege over the Deloitte Reports. The decision (which Medibank has already appealed) is a useful reminder of the importance of strategically considering the approach to public statements, communications and the commissioning of third party technical reports amidst the chaos of a cyber breach.

Key privilege issues in the Medibank

The Applicants argued that privilege did not apply to the contested material because they had been prepared for a range of non-legal purposes, none of which were ancillary to (and rather, outweighed) Medibank's claimed legal purpose. These purposes were characterised by the Applicants as follows:

• operational (to understand and manage the breach);

• governance (to assist the Board in its oversight functions);

• APRA (to address regulatory concerns); and

• ASX and public relations (to alleviate concerns of Medibank customers and update and reassure the market).

In the alternative, the Applicants argued that any applicable legal privilege over the Deloitte Reports had been waived by Medibank's provision of the reports to APRA and its public references to the reports in ASX announcements.

In response, Medibank asserted that the communications and reports were privileged as they had been prepared for the purpose of obtaining legal advice. It argued the reports were commissioned for the dominant purpose of assisting lawyers to understand the factual substratum of the cyber incident and to prepare for anticipated legal and regulatory proceedings. In support, Medibank drew upon evidence of the intentions and states of mind of its CEO, Chair, General Counsel and external lawyers.

What was (as wasn't) covered by legal professional privilege

The Court accepted that Medibank's communications with its third party cyber experts (Coveware and CyberCX), as well as the reports prepared by Threat Intelligence and CrowdStrike, were privileged. However, Justice Rofe held that the Deloitte Reports were not privileged because Medibank's public relations/ASX and APRA purposes were "at least equally dominant, if not more dominant purposes than the provision of legal advice and/or assistance".

The public relations/ASX purpose: The evidence revealed Medibank's predominant interest in assuaging the market and alleviating PR damage. Medibank made several statements as to the public purpose of Deloitte's review, but never referred to the legal purpose of the Deloitte Reports. Justice Rofe also noted that these public references were in stark contrast to Medibank's silence on the work done by its external solicitors, Threat Intelligence and CrowdStrike.

The APRA purpose: Justice Rofe also identified Medibank's key concern in avoiding the need for APRA to undertake its own external review. Notably, APRA was engaged from the outset of the incident, consulted on the terms of reference of Deloitte's external review and involved in regular tri-partite executive meetings. The Court considered these factors, and APRA's direct receipt of all Deloitte Reports, to be "antithetical" to Medibank's maintenance of privilege.

Role of the Board: Further, Medibank's claim of privilege was untenable in circumstances where the Board had maintained close oversight and involvement and directly engaged with Deloitte in the absence of lawyers. This pointed to the Board's desire for an "unvarnished view of what had occurred" as opposed to legal advice.

Waiver: In respect of Deloitte's "Post-Incident Report", Justice Rofe held that if properly characterised as privileged, the privilege had nevertheless been waived by Medibank's ASX announcement on 28 April 2023. By this statement, Medibank announced it had begun implementing Deloitte's recommendations and intended to implement the balance.

The outcome of this decision is ultimately unsurprising given the recent decision in Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58, which concerned near-identical issues arising from the 2022 Optus data breach. The Full Court dismissed Optus' appeal on the basis that, although Optus' legal team had demonstrated a legal purpose for commissioning the Deloitte report, this was not the report's sole, nor dominant, purpose.