The Federal Court has ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties following a 2022 data breach involving its then-newly acquired Medlab Pathology business. The breach affected over 223,000 individuals whose data was accessed and infiltrated by malicious actors and is one of Australia’s most significant healthcare cyber incidents.
This marks the first time civil penalties have been imposed under the Privacy Act 1988 (Cth), setting a critical precedent for privacy enforcement in Australia.
ACL was found to have breached several obligations and was fined:
- AU$4.2 million for failing to take reasonable steps to secure personal information (APP 11.1), with over 223,000 contraventions of s 13G(a).
- AU$800,000 for not conducting a timely and adequate assessment of whether the breach was an “eligible data breach” under s 26WH(2).
- AU$800,000 for delays in notifying the Commissioner about the breach (s 26WK(2)).
Justice Halley described the breaches as “extensive and significant,” highlighting failures in senior management oversight, risk management, and the potential for serious individual harm. Although ACL cooperated, admitted liability, and began improving cybersecurity, the ruling is a warning to organisations handling sensitive information to have robust and compliant breach response processes.
With penalties having increased since ACL’s breach, now up to AU$50 million per breach, this case signals a turning point in privacy enforcement in Australia and sends a clear message: serious privacy failures will come with serious consequences.
Key Lessons
- Plan ahead: Delays in assessing and reporting breaches were penalised. Legal, cybersecurity, and privacy teams must align to ensure incident response frameworks are ready.
- Cyber due diligence: Poor IT integration during ACL’s acquisition of Medlab was noted. Acquirers must conduct thorough data and cyber due diligence, especially when sensitive personal information is involved.
- Regulatory pressure is rising: This case used the old (lower) penalty regime. Under current laws, boards and executives face even greater accountability.