In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 the Federal Court of Australia ordered that Australian Clinical Labs (ACL) pay $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business in February 2022. The cyber incident resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals. ACL also agreed to pay a contribution of $400,000 to cover the Commissioner’s costs.

ACL acquired the assets of Medlab Pathology Pty Ltd on 19 December 2021.

Having acquired the assets of Medlab ACL did not have in place adequate cybersecurity controls, which meant that it did not take reasonable steps to protect the personal information of those individuals that ACL held on certain Medlab servers from unauthorised access, modification or disclosure, in contravention of Australian Privacy Principle 11.1(b).

Around 25 February 2022, the Quantum Group initiated a cyberattack against the Medlab IT Systems.

The Medlab Cyberattack resulted in 86 gigabytes of data, including the personal and sensitive health information of more than 223,000 individuals, being exfiltrated and subsequently published on the dark web.

In contravention of section 13G(a) of the Privacy Act, within 30 days of 2 March 2022, ACL failed to take reasonable steps to ensure it carried out a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the circumstances of the Medlab Cyberattack amounted to an eligible data breach within the meaning of section 26WE of the Privacy Act, in contravention of s 26WH(2) of the Privacy Act (Assessment Contravention).

In contravention of section 13G(a) of the Privacy Act, having formed the view by at least 16 June 2022 that there were reasonable grounds to believe that there had been an eligible data breach in the circumstances of the Medlab Cyberattack, ACL failed to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the Medlab Cyberattack outlining the matters set out in section 26WK(3) of the Privacy Act, in contravention of section 26WK(2) of the Privacy Act.

The penalties were calculated as follows:

• a penalty of $4.2 million for ACL’s failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, in contravention of section 13G(a) of the Privacy Act;
• a penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of section 26WH(2) of the Privacy Act; and
• a penalty of $800,000 for ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of section 26WK(2) of the Privacy Act.

Justice Halley identified several factors that reduced the penalty that was imposed for the section G(a) breach from a potential maximum of $495,060,000,000. These included that ACL cooperated with the investigation undertaken by the office of the Commissioner, and that it had commenced a program of works to uplift the company’s cybersecurity capabilities. His Honour also took into account the apologies made by ACL and the fact that it had admitted liability.

The penalties were imposed under the penalty regime which was in force at the time of the contraventions, with a maximum penalty of $2.22 million per contravention. The new penalty regime that came into force on 13 December 2022 allows the Court to impose much higher penalties for serious interferences with privacy. Under the new regime, maximum penalties per contravention can be as much as $50 million, three times the benefit derived from the conduct or up to the 30% of a business’s annual turnover per contravention.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.