Aust Clinical Labs fined $5.8mil for failing to report data breach

by

reviewed by

Malcolm Burrows

Reading Time:

7–10 minutes

On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This breach resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals.  These fines, initiated on application by the Australian Information Commissioner (AIC), constitute the first civil penalties ordered under changes to the Privacy Act 1988 (Cth) (Privacy Act) in 2012 and 2016.[1]

Background to the case of AIC v ACL

ACL is one of Australia’s largest private hospital pathology businesses and was operating in this capacity during the relevant period.[2]  ACL was an Australian Privacy Principle (APP) entity under the Privacy Act.[3]  On 19 December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (Medlab), a privately owned provider of pathology services in New South Wales and Queensland.[4]

Justice Halley said at [13], that at the time of the breach, ACL was operating in a high cyber threat landscape and was aware of its significant cyber risk profile.[5]  ACL held personal and sensitive information relating to approximately 21.5 million Australians on the Medlab IT Systems.[6]  This included health information, contact information, credit card information, and payment details.[7]

The cyberattack

On or shortly prior to 25 February 2022, a threat actor known as the Quantum Group initiated a cyberattack against the Medlab IT Systems.[8]

ACL did not know the time or method of the cyberattack in which eighty-six (86) gigabytes of personal information relating to 223,269 individuals was accessed and exported.

This exfiltrated data was subsequently published on the dark web, four (4) months after the breach, in June 2022.[9]

Relevant breaches of the Privacy Act

Section 13G

The breach was considered a contravention of APP 11.1(b), which requires an APP entity that holds “personal information” to take “such steps as are reasonable in the circumstances” to protect this data from “unauthorised access, modification or disclosure”.  An eligible data breach of an APP entity will have occurred where there is unauthorised access to information and a reasonable person would conclude that this is likely to result in serious harm of individuals to whom the information relates.[10]  An eligible data breach constitutes an interference with privacy under the Privacy Act, and section 13G provides a civil penalty where this contravention is serious.

In AIC v ACL, Justice Halley contemplated whether ACL’s contravention of APP 11.1(b) met the threshold for “seriousness” determined objectively “by reference to the degree of the departure from the requisite standard of care and diligence” and the nature of the conduct based on a wholistic consideration of the circumstances.[11]  Justice Halley, having particular regard to the “nature and volume of the personal information” held on the Medlab IT Systems, the extent of the Medlab IT System Deficiencies, and the Medlab Cyberattack Response Deficiencies, and ACL’s reliance on a third party cybersecurity services provider, all of which significantly heightened the risk that the personal information would be exposed to unauthorised access.

The Court decided that ACL did not take reasonable steps to protect the personal information held by Medlab because of the following:

“(a) The ACL cyber incidents playbooks did not clearly define roles and responsibilities for incident response efforts, contained limited detail on containment processes that should be deployed in the event of a cyber incident or steps that ACL should take to mitigate exfiltration of data in the event of a cyber incident, and recommended steps for technologies that were not used within the Medlab IT Systems.

(b) There was inadequate testing of incident management processes in the period between the acquisition of the Medlab IT Systems and the Medlab Cyberattack.

(c) Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information and data held on those systems.

(d) Adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used.

(e) There was no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers.

(f) There were only limited communications plans.

(g) The Medlab IT Team Leader had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training.

(h) There was limited security monitoring capability because the firewall logs were only retained for one hour.

(i) Specific data recovery plans had not been developed.

(j) Medlab staff were not required to use multifactor identification to use the Medlab VPN“.[12]

[Bold is our emphasis]

Considering these factors, as well as the sensitivity of the information and nature of ACL’s business, a ‘serious interference’ was established.[13]

Section 26WH

Section 26WH of the Privacy Act relates to a failure to carry out a reasonable and expeditious assessment, stating:

“(1) The entity must:

(a) carry out a reasonable and expeditious assessment of whether there are any reasonable grounds to believe that the relevant circumstances amount to an eligible breach of the entity; and

(b) take all reasonable steps to ensure that the assessment is completed within thirty (30) days after the entity becomes aware [that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity]”.[14]

The breach in this case was considered an eligible data breach that needed to be assessed and reported as it was relevant to an APP entity holding the personal information of individuals.[15]  The Court determined that ACL had reasonable knowledge and awareness of the data breach yet did not carry out any such assessment.[16]  This section was enlivened and therefore a serious breach existed.[17]

Section 26WK

Section 26WK of the Privacy Act relates to a failure to notify of a data breach, it requires entities to provide a statement to the AIC as soon as they become aware of a breach.[18]  It states that:

“This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity”.[19]

The Court determined that it would have been practicable for ACL to prepare a statement to the AIC under section 26WK as soon as the entity became aware of the data breach.[20]  However, this statement was not provided until 10 July 2022, despite the entity becoming aware on 16 June 2022.[21]  Therefore, a contravention was evident.[22]  Through these contraventions, section 13G was breached.

The Court order

In relation to the breach of section 13G, connected to contraventions of sections 26WH, and 26WK, orders were made.  As section 13G attracted 2,000 penalty units, the value at the relevant period was set at $222.[23]  Given the 223,000 contraventions of section 13G, the Court deemed that a penalty of $5,800,000 Australian dollars was appropriate in the circumstances.[24]  This was the first civil penalty proceeding brought by the AIC in the history of the Privacy Act.[25]

Links and further references

Legislation

Crimes Act 1914 (Cth)

Privacy Act 1988 (Cth)

Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth)

Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)

Cases

Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

Australian Securities and Investments Commission v Diversa Trustees Limited [2023] FCA 1267

Australian Securities and Investments Commission v Firstmac Limited [2024] FCA 737

Further information about data breach compliance

If you need advice on your business obligations under the Privacy Act or data breach compliance, contact us for a confidential and obligation free discussion:

Doyles Recommended TMT Lawyer 2024

[1] Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth); Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).

[2] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [1].

[3] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [10].

[4] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [14].

[5] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [13].

[6] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [15].

[7] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [15].

[8] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [19].

[9] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [34].

[10] Privacy Act 1988 (Cth) s 26WE.

[11] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [51], [57]; Australian Securities and Investments Commission v Diversa Trustees Limited [2023] FCA 1267 at [375]; Australian Securities and Investments Commission v Firstmac Limited [2024] FCA 737 at [51].

[12] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [52]-[53].

[13] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [52].

[14] Privacy Act 1988 (Cth) s 26WH(2).

[15] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [64].

[16] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [75].

[17] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [80].

[18] Privacy Act 1988 (Cth) s 26WK(2).

[19] Privacy Act 1988 (Cth) s 26WK(1).

[20] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [89].

[21] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [89]-[90].

[22] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [92].

[23] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [120]; Crimes Act 1914 (Cth) s 4AA.

[24] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [138].

[25] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 at [138].

Related insights about data breach compliance

  • Notifiable Data Breach Scheme commenced 23 Feb 2018

    Notifiable Data Breach Scheme commenced 23 Feb 2018

    As of 23 February 2018, certain entities must notify affected individuals of eligible data breaches under the Privacy Act 1988 (Cth). Penalties for non-compliance can reach up to $420,000. Learn more about who’s affected, what constitutes serious harm, how to assess likelihood of harm, and how to prepare a response plan.

    Read more …

  • Legal challenges arising from data loss

    Legal challenges arising from data loss

    Organisations must protect confidential data from external and internal threats. Learn steps to secure data, potential data breach implications, and how a data breach notification bill may require affected entities to notify consumers.

    Read more …

  • How will the new Privacy laws affect your organisation?

    How will the new Privacy laws affect your organisation?

    What were the changes to the Privacy Act in 2014? Legislative changes to the Privacy Act 1988 (Cth) (Privacy Act) will come into effect on 12 March 2014.  The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amendments) amends the Privacy Act by introducing:

    Read more …

Send this to a friend