An Australian Federal Court has ordered Australian Clinical Labs (ACL) to pay a civil penalty of A$5.8 million, approximately €3.3 million, for a data breach at its subsidiary, Medlab Pathology, in February 2022. This ruling marks the first civil penalty issued under Australia’s Privacy Act 1988 (Cth), affecting over 223,000 individuals.
The breach stemmed from a ransomware attack that resulted in the exfiltration of sensitive patient data. Despite an initial forensic investigation, the data theft was not immediately identified by Medlab Pathology, leading to an eight-month delay before patients were notified, according to reports. The Australian Cyber Security Centre (ACSC) informed the laboratory in June 2022 that patient data was available online.
Compromised data included credit card details and names for over 28,000 patients, with thousands of CVV numbers also exposed. Additionally, health records related to laboratory tests for more than 17,000 patients and over 128,000 health insurance numbers with associated names were stolen. ACL acquired Medlab Pathology in April 2022, subsequently becoming responsible for its data.
The Federal Court found ACL contravened three specific civil penalty provisions of the Privacy Act. These included a failure to take reasonable steps to protect personal information from unauthorised access or disclosure (APP 11.1), a failure to carry out an expeditious assessment of the suspected eligible data breach, and a failure to notify the Australian Information Commissioner and affected individuals about the breach. Justice Halley, in his judgment, described the contraventions as “extensive and significant”, noting their potential to cause substantial harm to individuals.
Australian Information Commissioner Angelene Falk commented on the severity of the case, stating, “The significant penalty ordered by the Federal Court reflects the seriousness of ACL’s conduct and the importance of the obligations under the Privacy Act to protect personal information.” The court reduced the total penalty by 30% after acknowledging ACL’s cooperation with the Office of the Australian Information Commissioner (OAIC) investigation. Contributing factors to the reduction included ACL commencing a cybersecurity uplift program, issuing apologies, and admitting liability.
This case highlights regulatory expectations for robust data protection systems and timely breach response mechanisms. Commissioner Falk also indicated that new penalty regimes, effective from December 2022, allow for significantly higher penalties of up to A$50 million or 30% of adjusted turnover for serious or repeated privacy interferences. Enforcement actions such as this underscore the ongoing focus on accountability for personal information held by organisations.