OAIC Privacy Act action: Federal Court orders Australian Clinical Labs to pay $5.8 million for 2022 Medlab data breach

The Federal Court has ordered Australian Clinical Labs (ACL) to pay $5.8 million in civil penalties for contraventions of the Privacy Act 1988 (Cth) (Privacy Act) – the first civil penalties ordered under the Privacy Act.

The proceedings arose from a February 2022 cyber attack affecting Medlab Pathology, which ACL had acquired in late 2021. The cyber attack resulted in the exfiltration of approximately 86 gigabytes of data, including personal and sensitive health information of more than 223,000 individuals, which was later published on the dark web.

The Court declared that, following the acquisition and in the aftermath of the 2022 Medlab data breach, ACL failed to:

• take reasonable steps to protect personal information held by ACL on Medlab’s IT systems – resulting in a penalty of $4.2 million;
• promptly assess whether an eligible data breach had occurred – resulting in a penalty of $800,000; and
• notify the Office of the Australian Information Commissioner (OAIC) in accordance with the Privacy Act – resulting in a penalty of $800,000.

This outcome underscores the heightened expectations for organisations handling large volumes of sensitive health and other personal information, including in mergers and acquisitions (M&A) where inherited systems can present elevated cyber risk.

Notably, these penalties were imposed under the pre-December 2022 regime (maximum $2.22 million per contravention). Under the current regime, maximum penalties are significantly higher – up to $50 million, three times the benefit, or 30% of annual turnover per contravention.

Robust cyber security due diligence in M&A is critical, particularly where the target collects or stores high-risk personal information and operates legacy systems. The Court found that ACL failed to identify material deficiencies in Medlab’s IT systems pre-acquisition and was slow to identify and address them post‑acquisition. Those deficiencies included ineffective antivirus protection, weak authentication, firewall logs retained for only one hour, no file encryption and an unsupported legacy Windows server.

Australian Privacy Principle (APP) 11 requires organisations to take reasonable steps to protect personal information they hold from unauthorised access or disclosure. What is “reasonable” is context specific. The Court considered ACL’s size, the sensitivity and volume of information held and known cyber risks, and found that ACL’s controls fell short of what was required in the circumstances. In practical terms, “reasonable steps” commonly include:

• Baseline technical controls - such as multifactor authentication for remote/VPN access; data loss prevention; application whitelisting; and encryption of sensitive information.
• Monitoring and logging - centralised security monitoring with sufficient log retention (beyond one hour) to enable detection and investigation of incidents.
• Organisational preparedness - clear, tested incident response playbooks aligned to technologies actually in use; specific data recovery plans; and defined roles with trained staff.

Adequate resourcing and staff training for incident response and notification is important. Under the Privacy Act, where a ransomware incident indicates that a threat actor has accessed personal information, an organisation must complete a reasonable and expeditious assessment within 30 days to determine whether an eligible data breach has occurred.If there are reasonable grounds to believe that an eligible data breach has occurred, the organisation must prepare a compliant statement and notify the OAIC as soon as practicable.

In this case, the data breach was not reported to the OAIC until July 2022, after the Australian Cyber Security Centre (ACSC) advised that personal information from the Medlab attack had been published on the dark web. A key factor in ACL’s failure to report earlier was an overreliance on its third-party cyber security service provider and inadequate internal procedures for detecting and responding to cyber incidents, leading ACL to incorrectly conclude that no personal information had been compromised. In contrast, the Court found that the information available to ACL in early March 2022 should have prompted further assessment.

For practical guidance on preserving legal professional privilege when investigating a data breach, see our earlier article on protecting privilege in cyber incident investigations.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has you covered when it comes to identifying your legal obligations, assessing risk and exposure, and putting in place strategies to manage legal risks and meet regulatory obligations, whether that be:

• digital information security obligations and protections in supply chain contracts;
• privacy, data breach assessment, incident response and notification laws;
• on-boarding and off-boarding processes; or
• fit for purpose employment contracts and digital security and AI policies.

Find out more about how our cyber and information security legal experts can assist your business.