Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Medibank fights to keep privilege over data hack report

To scrap legal professional privilege from the Deloitte report, lawyers behind the Medibank class action have grilled the CEO on public comments the insurance giant made after the October 2022 data hack.

user iconNaomi Neilson 21 May 2024 Big Law
expand image

Appearing in the Federal Court on Monday (20 May), Medibank’s CEO, David Koczkar, was questioned on public statements the board made after a hacking group stole personal details from 9.7 million Australians.

Included in those statements was reference to a Deloitte report, commissioned through major firm King & Wood Mallesons (KWM), that Medibank is claiming it cannot disclose to class action applicants because it is currently covered under legal professional privilege.

Appearing for the applicants, counsel Wendy Harris KC argued the report’s primary purpose was not for legal advice and questioned why the board never mentioned this was the case in its statements.


“I was always told, and certainly had in my mind, that if you talk about a legal review, you waive privilege,” Koczkar said.

“That was one of the reasons we didn’t include it, in my mind.”

Pushed more on a statement about the insurance giant’s half-year results in 2023, Harris asked why the board included mention of the Deloitte report if they were concerned it would waive privilege.

“We felt it was appropriate to reassure the market,” Koczkar said.

Harris told the court that orders it makes about the confidential Deloitte report would stretch over the 140,000 documents in evidence.

At the moment, the case is focused on three tranches of the Deloitte report, being the post-incident review report, root cause analysis report, and a CPS234 external review for Australian Prudential Regulation Authority (APRA) compliance.

There are also information reports by cyber security firms CrowdStrike, Threat Intelligence, and CyberCX. The latter supplied a software program to assist Medibank with tracking down the hacker’s presence.

“We say, in respect of those reports, they were effectively created for reasons other than the dominant purpose of legal professional privilege.

“Or, in the alternative, the privilege in those documents has been waived,” Harris told the Federal Court.

Before the court moved into Koczkar’s examination, Medibank’s counsel argued it would be “treacherous” to allow a cross-examination so “witnesses to expose themselves to the prospect of destroying the very confidence they are trying to establish”.

“We have tried to be as transparent as possible in these lengthy affidavits so, having those tendered before Your Honour, the next question is do they also have to be subjected to cross-examination?” Medibank’s counsel said.

The matter will return for further cross-examinations later this week.