Medibank Private Limited v McClure

Medibank Private Limited v McClure [2026] FCAFC 38 arose from Medibank's response to the cyber incident that affected it in late 2022. The Court extract records that cyber rogues accessed Medibank's IT systems and exfiltrated customer data. That triggered a broad corporate response involving legal advisers, technical responders, communications consultants, regulators, the board and senior management.

From the start, Medibank was dealing with several pressures at once. It needed legal advice. It needed to understand what had happened technically. It needed to notify regulators and communicate with the market. It needed to manage customer, reputational and governance consequences. The extract repeatedly shows that these streams were running in parallel, not one after another.

The later court fight was not about whether the cyber incident occurred. It was about whether three Deloitte reports prepared after the incident were protected by legal professional privilege. Medibank said the reports were commissioned through its external lawyers for the dominant purpose of obtaining legal advice and assistance in relation to legal exposure. The respondents said the reports served broader purposes and were not privileged on that basis.

The extract identifies three Deloitte Risk Advisory reports as the real subject of the dispute. They were a Post Incident Review report, a Root Cause Analysis report and a report directed to compliance with APRA Prudential Standard CPS 234. Earlier privilege claims over a broader body of material had narrowed, and Medibank continued to press privilege over these three reports.

That narrowing is important. The case was not a general ruling that everything created during a cyber response is unprivileged. Nor was it a ruling that all expert reports commissioned through lawyers are privileged. The Court was dealing with a specific set of reports and a specific factual matrix about why they were commissioned and how they were positioned inside Medibank's broader response.

Medibank relied on the kinds of facts businesses often point to in privilege disputes. King & Wood Mallesons had been engaged to provide legal advice. Litigation and regulatory action were realistic prospects. Senior officers and lawyers gave evidence that the reports were needed so the legal team and board could receive advice on a sound factual footing. The final Deloitte engagement letter said Deloitte was engaged for the dominant purpose of assisting the lawyers so legal advice and assistance could be provided to Medibank.

But the extract also records a wider picture. Medibank had publicly described the external review as a way to learn from the event, strengthen its ability to safeguard customers and share key outcomes where appropriate. Governance materials integrated the review into board and executive oversight structures. APRA was engaged about the review's scope and governance and suggested amendments dealing with root cause, control deficiencies, CPS 234 non-compliance and response effectiveness. Those facts mattered because they suggested the reports may have been serving substantial non-legal functions as well.

The main legal issue was whether the Deloitte reports were created, commissioned or obtained for the dominant purpose of legal advice, so that legal professional privilege attached. The extract says the governing principles were not in dispute. The Court referred to the dominant purpose test from Esso and explained that dominant means the ruling, prevailing or most influential purpose.

The extract also highlights three practical consequences of that test. First, a document can have more than one purpose. Multiple purposes do not automatically defeat privilege. Secondly, the mere existence of a legal purpose is not enough. The legal purpose must predominate over competing substantial purposes. Thirdly, the inquiry is objective. Evidence from executives, in-house counsel and external lawyers is relevant, but it is not automatically decisive.

The Court stressed that this objective inquiry matters especially for a large corporation responding to a crisis across multiple fronts. A court does not simply ask what one or two senior actors say they intended. It looks at the totality of the evidence, including contemporaneous documents, public communications, governance structures and the practical role the reports were expected to perform.

A separate issue concerned waiver. The extract says waiver turns on inconsistency with maintaining confidentiality, not merely on the fact that a business has referred publicly to a review or privileged process. The primary judge had found, in the alternative, that privilege in part of the Post Incident Review report had been waived by Medibank's public statements. The Full Court emphasised that dominant purpose and waiver are distinct inquiries, even though the same conduct may be relevant to both.

The Full Court dismissed Medibank's application for leave to appeal and ordered Medibank to pay the respondents' costs. On the extract available, the Court treated Medibank's proposed grounds as not sufficiently arguable. It said the primary judge had correctly identified the governing legal principles and that Medibank's challenge was, in substance, an attack on evaluative findings about purpose rather than a demonstration of legal error.

The Court accepted that Medibank's witnesses, including senior officers and lawyers, had given evidence supporting a legal-advice purpose. It also accepted that there had been genuine legal concern, anticipated litigation and a formal retainer using familiar privilege language. But the Court said that did not end the inquiry. The question remained whether, objectively viewed across the whole institutional picture, legal purpose was the ruling or prevailing purpose.

The extract shows the Court rejecting Medibank's argument that, unless witness evidence was shown to be unreliable or directly contradicted, the court was bound to accept that legal purpose was dominant. The Court said that is not how the law works. Honest and persuasive evidence about what decision-makers thought is important, but it does not dictate the legal conclusion if the objective circumstances point to broader substantial purposes.

Those objective circumstances included Medibank's public ASX statements about learning from the event, strengthening customer safeguards and sharing key outcomes where appropriate. They also included APRA's involvement in the review's scope and governance, and governance materials showing the review sat within board and executive oversight and broader organisational reform. The Court considered that the primary judge was entitled to treat those matters as part of the objective matrix from which purpose had to be inferred.

The extract also records an important point about waiver. The Court noted that waiver depends on inconsistency with confidentiality, not merely on reference to a privileged process. That means public discussion of a review does not automatically waive privilege, but it can still become relevant if the way the review is described or used is inconsistent with keeping the underlying communications confidential.

The extract is useful because it shows the kinds of documents and conduct that can influence a privilege analysis. First, there were the retainer documents. Medibank relied on the final Deloitte engagement letter, which said Deloitte was engaged for the dominant purpose of assisting King & Wood Mallesons to provide legal advice and assistance. That was relevant and supportive of Medibank's position, but the Court treated it as one part of the picture rather than the whole answer.

Secondly, there were public statements. The extract refers to ASX announcements in which Medibank said it would learn from the incident, continue to strengthen its ability to safeguard customers and share key outcomes of the review where appropriate. The Court considered those statements important because they showed how Medibank itself chose to explain the review at the time it was being commissioned.

Thirdly, there were governance and board materials. A draft board paper described a phased response architecture extending from immediate containment to later governance and operational improvement. A governance flow document grouped incident investigation and external review together under board and executive supervision and referred to sharing findings and lessons with stakeholders. Those materials suggested the review was integrated into broader institutional response and reform.

Fourthly, there was regulator engagement. Medibank informed APRA that King & Wood Mallesons had been engaged and that Deloitte was the preferred provider for the external review. APRA suggested amendments directed to root cause, control deficiencies, CPS 234 non-compliance and response effectiveness. The Court did not say that regulator involvement is incompatible with privilege. Rather, it treated that involvement as part of the objective context for deciding what the reports were really for.

For businesses, this part of the case is especially practical. Privilege disputes are often won or lost not on one dramatic fact, but on the consistency or inconsistency between engagement letters, board papers, regulator communications, public statements and the actual use expected of the report.

This case should not be read as saying that post-incident reports can never be privileged. Nor should it be read as saying that any engagement with regulators destroys privilege. The extract points to a narrower but important lesson: privilege is highly fact-specific, and courts will test whether the legal purpose truly predominated once all the surrounding circumstances are considered.

For a business owner, founder or board member, the practical risk usually arises when one report is expected to do too many jobs. After a cyber incident, fraud event, workplace complaint or governance failure, a business may want a single external review to help lawyers, satisfy regulators, reassure customers, inform directors, support remediation and demonstrate transparency. That may be commercially understandable, but it can make the dominant purpose harder to prove.

The safer approach is to decide early what each workstream is for. If one stream is genuinely for legal advice, scope it and govern it accordingly. If another stream is for remediation, regulator engagement, customer assurance or public accountability, treat that as a separate stream where possible. Keep instructions, governance papers and communications aligned with the actual purpose of each stream.

The case also matters for communications discipline. Public statements made in the middle of a crisis can later be examined closely. If a business publicly frames a review as a transparency exercise or promises to share findings or lessons, that may later be used as evidence about the review's purpose or as part of a waiver argument. That does not mean businesses should avoid public communication. It means legal, executive and communications teams should coordinate carefully before describing what a review is for and what will happen to its outcomes.

The Full Court judgment records that the matter was heard on 19 and 20 March 2026 and judgment was delivered on 20 March 2026. The Court dismissed Medibank's application for leave to appeal from the primary judgment in McClure v Medibank Private Limited [2025] FCA 167 and ordered Medibank to pay the respondents' costs.

The extract also records that the reasons were delivered ex tempore and revised from the transcript. The available material provides a substantial account of the Court's reasoning and is sufficient to explain the commercial significance of the decision, while still warranting care on fine points of nuance.

This page is based on the published Federal Court judgment for Medibank Private Limited v McClure [2026] FCAFC 38. The extract includes the orders, catchwords, procedural posture, key factual background and substantial reasoning on dominant purpose and waiver.

Readers should keep in mind that privilege disputes are intensely fact-dependent. The Court's analysis turned on the specific combination of public statements, regulator engagement, governance materials, retainer wording and witness evidence in this matter. Another business with a different structure or communications record may face a different result.