When cyber forensic reports lose legal privilege: The Medibank precedent

The Federal Court of Australia recently delivered a ruling on the application of legal professional privilege (“LPP”) over third-party forensic reports in the context of a cybersecurity incident in McClure v Medibank Private Limited [2025] FCA 167 (the “Medibank case”). This ruling is noteworthy because Hong Kong’s legal position on LPP is similar to Australia’s.

The Medibank case involved a class action arising from a 2022 data breach suffered by Medibank Private Limited (“Medibank”), where threat actors accessed its IT systems using stolen credentials and subsequently exfiltrated customer data (the “Cyber Incident”).

The Claimants sought production of various reports in relation to this Cyber Incident, including:

1. Three reports by Deloitte (the “Deloitte reports”)
2. Two reports by CrowdStrike (the “CrowdStrike reports”)
3. Two reports by Threat Intelligence (the “Threat Intelligence reports”)
4. Various communications involving CyberCX and Coveware (the “CyberCX and Coveware communications”).

While Medibank successfully claimed LPP over certain documents, it failed to claim LPP over the others.

This legal update explores what made the difference on the application of LPP – and provides tips for organisations to effectively manage LPP in any future cyber incidents.

Relevant legal principles

The legal principles applied by the Court in the Medibank case appear consistent with a case it decided last year in Singtel Optus Pty Ltd v Robertson (see our legal update).

The legal test for LPP under common law is known as the dominant purpose test. In essence, LPP applies to confidential communications or documents made for the dominant purpose of obtaining legal advice, or for use in litigation or regulatory investigations or proceedings.

The Medibank case underscores that “dominant purpose” is determined objectively, based on the totality of evidence. In particular, the intention of the author or person who procured or produced the communication or document would be relevant.

Key discussion in judgement

Medibank relied upon the purported intentions and respective states of mind of its CEO, its secretary and its external legal counsel to support its claim that the dominant purpose of the above-mentioned forensic reports was to help their lawyers understand and interpret the factual substratum, or underlying facts, associated with the cyber incident to provide legal advice.

The Court accepted that their respective states of mind were highly relevant, but not solely determinative.

CrowdStrike reports

CrowdStrike was initially engaged by Medibank’s IT service provider for incident response and investigation services immediately after the cyber incident. CrowdStrike was subsequently engaged to provide technical assistance needed by legal counsel to advise Medibank, particularly regarding compliance with privacy laws.

In assessing whether the CrowdStrike reports were subject to LPP, the Court focused on the document and purpose for which it came into existence. On considering the evidence, including privilege disclaimers on the reports and engagement letters, the Court accepted that the CrowdStrike reports were prepared for the dominant purpose of assisting legal counsel in providing legal advice regarding the cyber incident and potential legal proceedings.

It is worth noting that while the CrowdStrike reports were held to be privileged, some of their services were found not to be covered by LPP – as there was no evidence to support how they were used to facilitate the provision of legal advice.

Threat Intelligence reports

Medibank had an ongoing engagement with Threat Intelligence as its Digital Forensics and Incident Response partner for services such as dark web monitoring. Hence, the reports produced under this existing engagement were not subject to LPP.

However, two subsequent reports commissioned by the legal counsel to assist its provision of legal advice in response to the Office of the Australian Information Commissioner (OAIC) investigation were accepted by the Court to be created for the dominant purpose of legal advice – and thus were subject to LPP. It is worth noting these two reports were prepared under two separate letters of engagement by the legal counsel.

CyberCX and Coveware communications

CyberCX was initially engaged for crisis communications and operational advice, and Medibank did not claim LPP over communications over this initial engagement.

Nonetheless, a separate statement of works recorded that legal counsel engaged CyberCX to support legal advice to Medibank, including in relation to potential litigation in relation to the Cyber Incident.

Relevantly, the Court noted, “It is not sufficient to deny the claim to privilege that a document is created pursuant to a Statement of Works that may contemplate more than one purpose for the engagement. It is the particular document itself and the circumstances in which it was created which must be examined to ascertain whether the document was created for the dominant purpose of legal advice, not the overarching engagement and statement of works under which it was created.”

After assessing the evidence, the Court was satisfied that the CyberCX and Coveware communications were created for the dominant purpose of providing legal advice to Medibank on the legality of payment of a ransom and its compliance with anti-money laundering, terrorism financing and sanctions laws – and accepted them to be privileged regardless of the purpose of the initial engagement.

Deloitte reports

Although Medibank submitted that the dominant purpose of the Deloitte reports was for obtaining legal advice, the Court held that they were commissioned for multiple purposes that were at least equal to the legal purpose, namely:

1. ASX/PR purpose: Medibank’s public announcements through the Australian Securities Exchange (ASX) and communications with employees, customers and health partners made numerous references to commissioning the Deloitte reports, stating that the purpose of the external review was for operational and governance purposes, specifically “to protect and safeguard customers”. Moreover, these statements were approved by the Board or Medibank executives, indicating that Medibank commissioned the Deloitte reports and not its lawyers. The public communications also mentioned a commitment to share the results of the external review, which the Court considered to be inconsistent with the preservation of LPP.
2. Australian Prudential Regulation Authority (APRA) purpose: In Medibank’s communications with APRA, its CEO and chair of the board expressed a clear desire to avoid a second external APRA review of the cyberattack. The Court considered this one of the dominant purposes of commissioning the Deloitte reports.
3. Absence of lawyers in communications: Deloitte reported directly to the board on its findings, not via Medibank’s legal counsel, and briefed the chair without lawyers present. These factors further affirmed that the legal purpose was not dominant.

Key takeaways

As the legal position of Hong Kong and Australia on LPP is similar, the Medibank case provides further guidance on pitfalls that organisations should watch out for when managing communications and forensic reports in the context of cyber accidents.

Here are some key recommendations to better preserve LPP during such cyber incidents:

1. Engage breach counsel early: External legal counsel or advisors should be engaged as soon as possible to help bring engagements with third party service providers under LPP and maximise the scope of privileged communications. As demonstrated in this case, any work conducted under existing retainer without the involvement of legal counsel is unlikely to be covered by LPP.
2. Cautious public announcements: Organisations should be mindful of what to include in public announcements, as they can inadvertently undermine any position to claim privilege. Coordinate with legal counsel before making any public announcements and communications.
3. Carefully craft engagements and deliverables: As the Medibank case demonstrates, engagement letters and disclaimers on reports are often crucial evidence in supporting claim of LPP. Hence, organisations should engage experienced legal counsel to advise on ensuring that engagement letters are properly drafted and all communications and deliberates contain appropriate disclaimers.

Please also see our legal update for a recap of other recommendations around preserving privilege.