By: Kieran Doyle and Nicole Gabryk

At a glance

• The Federal Court rejected Medibank’s claim of legal privilege over Deloitte’s forensic reports, finding they were created primarily for non-legal purposes such as managing ASX disclosures, public relations, and APRA oversight.
• Privilege was upheld for other materials, including those from CrowdStrike, Threat Intelligence, and CyberCX, where the Court was satisfied they were created to support legal advice and anticipated litigation.
• The ruling highlights that to preserve privilege, the legal purpose must be clearly dominant and consistently communicated, with courts placing weight on the actual use and context of documents over engagement terms alone.

Following on from the Full Federal Court’s decision in the Optus data breach class action, the Federal Court has again found that forensic reports commissioned in the aftermath of a cyber incident may not attract legal professional privilege if the company seeks to leverage those reports for non-legal purposes, including to give comfort to customers and regulators.

Background

In October 2022, Medibank became aware of an ongoing cyber-attack on its systems, which ultimately resulted in the exfiltration and publication of a significant amount of sensitive customer health data. Since that time, Medibank has been served with a wide range of legal proceedings, including regulatory enforcement proceedings from the Office of the Australian Information Commissioner (OAIC) and the Australian Prudential Regulation Authority (APRA), a consumer class action commenced by individuals whose data was compromised in the cyber incident and a shareholder class action.

In early 2024, the lead applicant in the consumer class action¹ brought an application challenging Medibank’s claim for legal professional privilege over a number of forensic reports and emails that had been created by third party experts in late 2022 and early 2023.

The relevant reports were prepared by Deloitte (3 contested reports), Threat Intelligence (2 contested reports) and CrowdStrike (2 contested reports). There were three contested emails, which had been sent by cyber incident service providers CyberCX and Coveware to Medibank’s solicitors (King & Wood Mallesons, KWM).

The challenge application was heard in May and June 2024, with a judgment in excess of 100 pages handed down on 7 March 2025. The judgment was only recently made public to allow the parties to seek redactions of confidential information.

Key Points

The core of the applicant’s challenge was that none of the reports or emails were privileged because they were not created for the dominant purpose of obtaining legal advice or for use in anticipated litigation. Rather, the applicant contended that there were other, non-legal purposes for which the contested documents were created, and these purposes predominated the legal purpose relied on by Medibank to support its privilege claims.

Following a detailed examination of the chronology of Medibank’s cyber incident response and the circumstances surrounding the creation of each contested document, the Court held that the three Deloitte reports were not privileged, as they were created for the dominant purposes of:

• updating the ASX and allaying market concerns,
• assuaging concerns of customers and shareholders, and the community more generally, by demonstrating that Medibank was investigating the cyber incident with a view of safeguarding its customers’ information, and
• to address concerns raised by APRA, satisfy its requests for information and avoid an independent APRA review of the cyber incident.

Medibank’s privilege claims were upheld in respect of the balance of the material (reports from CrowdStrike and Threat Intelligence and the CyberCX/Coveware emails).

Medibank has indicated that it is seeking leave to appeal the judgment. We step through the Court’s reasoning in respect of each of the contested privilege claims below.

Deloitte Reports

Deloitte was engaged by KWM on behalf of Medibank on 15 November 2024. According to KWM’s letter of engagement, Deloitte was engaged to “provide expert forensic assistance and cyber expertise […] to enable us to provide legal advice and assistance in relation to the cyber incident to Medibank”.

Deloitte’s scope of works expanded following its initial engagement, and it ultimately produced three reports: a ‘Post Incident Review’ report, a ‘Root Cause Analysis’ report and an ‘External Review – APRA Prudential Standard CPS 234’ report.

Medibank contended that the dominant purpose for the Deloitte review was to assist KWM to provide legal advice to Medibank (as set out in KWM’s letter of engagement). In support of this position, Medibank provided evidence from the KWM Partner with carriage of the matter, who deposed that the primary reasons for commissioning the Deloitte reports were to give KWM a plain English understanding of key technical matters to assist in advising on anticipated legal proceedings and enforcement action, including:

• the facts and circumstances of the cyber incident,
• what information had been accessed and exfiltrated by the threat actor, and
• the extent to which the enhancements to Medibank’s IT systems and processes implemented since the cyber incident would mitigate the risk of reoccurrence.

The applicant accepted that the Deloitte reports were created for the above legal purposes. However, the applicant argued that there were other non-legal purposes for Deloitte’s engagement which were at least as dominant than the legal purposes asserted by Medibank. The Court agreed with the applicant in relation to three of those purposes, being an ASX purpose, a Public Relations purpose and an APRA purpose. Accordingly, the Court denied Medibank’s privilege claims over the Deloitte reports.

See below for more detail on the arguments and Court’s reasoning in relation to these purposes.

ASX and public relations purposes

The Court held that the Deloitte reports were created for a non-legal “ASX/PR Purpose”, which was to update the ASX, and to communicate with and assuage concerns of customers and shareholders by showing that Medibank was looking to learn from the cyber incident.

Medibank’s numerous public references to the commissioning of the external review, and the appointment of Deloitte, were key to establishing that the Deloitte reports were created for this purpose and that it was at least equally as dominant to the legal purpose. The public references were made in Medibank’s ASX announcements, AGM presentations, press conferences as well as emails to employees and customers. In these communications, Medibank repeatedly stated that it was “committed to transparency” and would share the findings of the review “where we can” or “where appropriate”.

Medibank lead evidence from its Chair and CEO that the reason for including the words “where we can” and “where appropriate” was to convey that Medibank was not going to share any of the key outcomes if doing so would increase the risk of a claim against Medibank, reduce Medibank’s ability to defend a legal proceeding or compromise its privilege claim in respect of the external view. For that reason, Medibank contented that the public statements did not demonstrate that the ASX/PR purpose did not predominate the legal purpose.

However, the Court observed that none of the public statements included any qualification that the external review was recommended by Medibank’s lawyers or that it was being done for a legal purpose. The Court also noted, if Medibank’s primary purpose was a legal one, and it envisaged that the Deloitte reports were to be treated as privileged, there was no need for Medibank to refer to the external review at all in any public communications.

For these reasons the Court took the view that the Deloitte reports were created for the ASX/PR purpose and this purpose was at least equally as dominant as the legal purpose.

APRA purpose

Medibank first notified APRA of the cyber incident the day after it was discovered. From the following week, APRA met with Medibank twice weekly, during which Medibank provided updates about the incident response, impacts and business continuity plans.

Through that engagement with APRA, it became apparent to Medibank that unless it commissioned an external review to APRA’s satisfaction, the regulator would likely conduct its own investigation, potentially as a precursor to enforcement action. Medibank’s Chair and CEO gave evidence that a key concern for Medibank was to avoid the need for APRA to conduct its own review. Accordingly, Medibank engaged with APRA as to the scope of the Deloitte review, held a number of tri-partite meetings with APRA and Deloitte and committed to sharing the report with APRA.

In December 2022, shortly before Medibank shared the first Deloitte report with APRA, it entered into an agreed privilege protocol with APRA that purported to declare the Deloitte reports privileged and agreed restrictions on use of the reports that were designed to avoid a waiver of Medibank’s privilege. While there are methods of preserving privilege of documents provided to regulators,² the Court noted that any such protocol could not retrospectively establish a dominant legal purpose for the commissioning of the external review undertaken by Deloitte.

The Court ultimately found that by inviting APRA’s hands-on involvement in Deloitte’s review and allowing APRA to have direct access to all the Deloitte reports, Medibank had acted inconsistently with an organisation that was commissioning a review for a dominant legal purpose.

Having determined that the ASX/PR purpose and the APRA purpose were at least equally as dominant as the legal purpose, the Court concluded that the Deloitte reports were not subject to a valid claim for legal professional privilege.

Privilege claims upheld

Medibank’s privilege claims were upheld for the remaining contests documents, being reports and emails from Threat Intelligence, CrowdStrike and CyberCX/Coveware.

The factual background to these engagements is similar in that Medibank first engaged them for non-legal purposes and then KWM engaged them separately, for the purpose of assisting with the provision of legal advice. The Court accepted that the initial engagements by Medibank, and some aspects of the later engagements by KWM were for operational purposes and not necessarily for a dominant legal purpose.

However, the Court was clear that the question of whether a document is privileged is not determined solely by reference to the terms of engagement. Whether a document is privileged requires consideration of the document itself and the circumstances that gave rise to its creation. When the circumstances surrounding the creation of the remaining contested documents were examined, the Court formed the view that each document was created for the dominate purpose of providing of legal advice. Accordingly, the Court upheld Medibank’s privilege claims over these documents.

Click below for further detail on the Court’s reasoning in upholding Medibank’s privilege claims over the reports from Threat Intelligence, CrowdStrike and emails from CyberCX/Coveware.

Threat intelligence reports

The timing and context of Medibank’s engagement of Threat Intelligence was central to the Court’s determination of the privilege claim.

At the time of the cyber incident, Medibank had an existing engagement with Threat Intelligence to act as its Digital Forensics and Incident Response (DFIR) partner. As a part of this engagement, Threat Intelligence conducted an investigation into the circumstances of the cyber incident and monitored the dark web for publication of customer data and other information related to the cyber incident. Medibank did not assert a claim for privilege in respect of documents created in the context of the DFIR engagement.

The contested privilege claims relate to two reports that were created pursuant to a separate KWM engagement of Threat Intelligence on 22 December 2022.

The crux of the applicant’s complaints about the privilege claims was that the DFIR engagement was operational in nature and not attributable to a legal purpose and there was no clear demarcation between the  DFIR engagement and KWM’s engagement.

The Court rejected these arguments, noting that KWM’s evidence was clear that its engagement of Threat Intelligence on 22 December 2022 was for the purposes of advising Medibank in relation to the OAIC investigation which had been announced only a short time prior.

Further, the Court explained that even if Threat Intelligence’s scope of works under KWM’s engagement was for operational purposes rather than a legal purpose, the question is not whether the engagement is privileged but whether the reports are privileged. This question, the Court explained, requires consideration of the actual documents and the circumstances in which they came into existence.

Turning to the reports themselves, the Court noted that each was clearly marked as privileged and confidential but hastened to add that this was not determinative. As to the evidence regarding the purpose for which the reports were created, the Court noted that KWM’s evidence (which was not expressly contradicted) was that the reports were requested to assist with providing legal advice to Medibank in respect of the recently announced OAIC investigation.

Finally, the Court observed that the short period of time between the OAIC announcing its investigation on 1 December 2022, KWM engaging Threat Intelligence on 22 December 2022, and delivery of the two reports on 4 January 2022 and 23 February 2023, supports the contention that the reports were commissioned in response to the investigation.

Medibank’s privilege claims over the Threat Intelligence reports were therefore upheld.

CrowdStrike reports

Like Threat Intelligence, CrowdStrike was engaged more than once in relation to the cyber incident.

First, Medibank engaged CrowdStrike directly on 12 October 2022 (the day it became aware of the cyber incident) to provide investigation services, analyse data, identify compromised systems, deploy a software tool (known as Falcon) to combat the ongoing attack and provide recommendations for containment and recovery actions. Medibank did not press privilege claims in relation to documents created in the context of this initial engagement.

Then, on 18 November 2022, KWM issued a letter of engagement to CrowdStrike, which adopted the scope of works from Medibank’s prior direct engagement. The Applicant contended that because CrowdStrike’s initial scope of works (which was operational in nature and not privileged) was simply rolled over into KWM’s subsequent engagement, KWM’s engagement must not be privileged. The Applicant alleged the purpose of KWM’s engagement was to cloak CrowdStrike’s ongoing operational (and non-legal) activities in legal professional privilege.

In contrast to the Threat Intelligence reports, the Court accepted that much of CrowdStrike’s scope of works was operational and not for a legal purpose. However, consistent with its approach to the Threat Intelligence reports, the Court again noted that the question is not whether the engagement is privileged but whether the reports are privileged, and that to answer this question reference must be had to the reports themselves and the purpose for which they were created.

KWM’s evidence was that the two reports in question were prepared by CrowdStrike in direct response to specific instructions provided by KWM, and that these instructions were provided to assist KWM to provide legal advice to Medibank. The Court did not highlight any evidence that directly contradicted KWM’s evidence and accepted that the instructions were provided with a legitimate legal purpose. The Court also noted that the reports were each marked as confidential and privileged.

Having regard to all the relevant factors, and notwithstanding that much of CrowdStrike’s work in respect of the cyber incident was not privileged, the Court accepted that the two CrowdStrike reports in question were prepared for the dominant purpose of providing legal advice.

Medibank’s privilege claims in relation to the CrowdStrike reports were therefore upheld.

CyberCX / Coveware

CyberCX was also engaged more than once in relation to the cyber incident. It was first engaged by Medibank’s External Affairs team on 12 October 2022 to assist in the limited capacity of supporting Medibank’s crisis communication strategy. Then, on 29 October 2022, KWM entered into a separate engagement with CyberCX.

The scope of works for the second engagement was much broader than Medibank’s initial engagement. It indicated that CyberCX would provide assistance with strategic advice, stakeholder management, crisis communications, threat actor intelligence and engagement, and data discovery. The scope of works also provided that CyberCX would engage Coveware to assist with threat actor engagement.

As with the Threat Intelligence and CrowdStrike reports, the applicant highlighted that, at face value, CyberCX’s overall engagement did not appear to be strictly for a dominant legal purpose. Although the Court accepted that this was correct, it again noted that privilege claims relate to specific documents, not the engagement as a whole, and that the circumstances surrounding the creation of each document needs to be considered.

The privilege challenge pertained to three emails that were sent by CyberCX to KWM over 26 and 27 October 2022.

Medibank asserted that the emails from CyberCX related to requests for details regarding the identity and location of the threat actor. According to KWM’s evidence, these requests (and the emails in response) were made for the dominant purpose of assisting KWM to provide legal advice to Medibank regarding the legality of paying a ransom. KWM explained that this advice was essential for a Board meeting that was to take place on 29 October 2022, during which the Board would consider whether a ransom would to be paid.

The Court noted that KWM’s engagement of CyberCX aligns with the rapid evolution of the cyber incident and that the type of information provided by CyberCX in the contested emails (being the identity of the threat actor) was entirely consistent with the need to provide advice to Medibank’s board as to the legality of a ransom payment.

For these reasons, the Court concluded that the CyberCX and Coveware emails were created for the dominant purpose of providing legal advice, and Medibank’s privilege claims in respect of them were upheld.

Conclusion

The Medibank decision is consistent with the Full Federal Court decision in Optus. It reaffirms the idea that an organisation’s public statements around the time of commissioning expert reviews can compromise privilege claims over the resulting reports. Organisations in the midst of a cyber incident should think carefully before making public reference to engagements, reviews or reports that the organisation may wish to keep privileged.

While proactive engagement with regulators has obvious benefits, allowing regulators to be heavily involved in the engagement of a forensic review can compromise privilege claims over the resulting reports.

In order to assert and protect legal privilege over documents created during a cyber incident, the legal purpose for each third-party report should be clearly documented and such purpose communicated to the third party throughout the engagement.

Legal advisors should work closely with third-party vendors during a cyber incident to ensure that the reports contain adequate detail and that privilege is maintained.

The Court also showed that it will carefully consider the material in question, rather than the engagement itself, when determining the privilege status of material. This is an important reminder to parties that while the terms of the engagement are important to assist in establishing privilege, they may not be the determinative factor in a privilege claim.

Absent direct evidence to the contrary, the Court has demonstrated a willingness to accept a solicitor’s evidence as to the purpose for which a document was created without further documentary evidence in support. To overcome such evidence, parties challenging privilege claims should look to provide evidence that expressly contradicts the solicitor’s evidence or extract meaningful concessions in cross examination.