More details about the 2022 hack – in which data, some medical, belonging to more than 10 million current and former customers was released – emerged after Federal Court judge Helen Rofe published her judgment on Friday, having suppressed it for a month.

Former government adviser and cyber tsar Alastair MacGibbon and his private firm CyberCX gave “crisis communication” advice to Medibank after the attack on October 12, 2022, Justice Rofe said in her judgment.

Medibank executives believed customer data was breached only after hackers contacted chief executive David Koczkar on October 19 boasting about a “naughty list” of high-profile people whose medical data, including health treatment for drug abuse and mental health, they claimed to have stolen to extort the private health insurer.

“(Medibank chair Mike) Wilkins’ evidence was that the realisation that customer data may have been accessed and exfiltrated was a turning point in his mind as to the seriousness of the cyber incident and the potential for legal exposure,” Justice Rofe said.

“From this point, Mr Koczkar said he knew that the cyber incident had the potential to be an even more significant issue than it already was.”

In January 2024 the Albanese government named Russian man Aleksandr Ermakov as the perpetrator of the data breach.

Release of the judgment coincided with news last Friday of a separate hack in which criminals broke into superannuation accounts using passwords they stole from other security blow-ups. At least $500,000 was taken from four AustralianSuper accounts, the fund confirmed last week.

Responding to the news on Friday, Medibank – which fought to keep Deloitte reports conducted after the attack in October 2022 out of the class action – said in a statement to the ASX it intended to appeal Justice Rofe’s decision.

Baker McKenzie’s co-lead partner in the class action representing lead plaintiffs Zoe McClure and Cihan Solbudak, Ryan Grant, said from a legal perspective Justice Rofe’s decision was orthodox.

“Her Honour found that the cyber-security reports had multiple purposes and therefore legal advice was not the dominant purpose (which is the test for privilege),” he said.

“It is a reminder to corporate Australia and the legal profession that where lawyers engage a party to conduct an investigation of some kind, which is not limited to cyber security – corruption and employee misconduct are also common targets for investigations – there lies a risk of multiple purposes for that investigation, such as finding out what happened and ensuring it doesn’t happen again.

“Once you have multiple purposes, there is an increased risk that the court will not find that legal advice was the dominant purpose.”

Medibank argued three Deloitte reports – titled Post Incident Review, Root Cause Analysis and External Review – APRA Prudential Standard CPS 234 – should not be released because they were subject to legal professional privilege. But Justice Rofe disagreed, and found Medibank had four reasons to commission the reports.

“The repeated public references to Medibank’s commissioning of an external review, the engagement of Deloitte to carry out that review, and the stated public purpose of such review being to learn from the cyber incident so as to strengthen Medibank’s ability to safeguard its customers is contrary to the legal purpose being the dominant purpose,” she said.

“Each of the Medibank public communications also contained a commitment to share the results of the external review, a commitment inconsistent with the preservation of legal professional privilege.

“However, Mr Wilkins downplayed that commitment, conceding that despite the repeated public statements about Medibank sharing the results of the external review, at no time did he intend to release or ‘share’ the results of the external review into the public domain.”

The Australian Prudential Regulation Authority also was “hands on” in working with Medibank to develop the scope of the external review “very important” to the health insurer, Justice Rofe said. “The hands-on involvement of APRA in developing the scope of the external review, the multiple tripartite meetings allowing APRA – Medibank’s regulator, and a potential protagonist in penalty proceedings against Medibank over the cyber incident – direct access to all the Deloitte reports was antithetical to ensuring maintenance of that privilege,” she said.

A CyberCX spokesman told The Australian: “CyberCX has been publicly acknowledged as a strategic partner to Medibank, providing support during their cyber incident in 2022. CyberCX is not providing any such support to Medibank in an ongoing way.”

Medibank is facing separate court action from the Office the Australian Information Commissioner.

Originally published as Court tells Medibank to hand over cyber attack reports