Australian Clinical Labs has been ordered to pay $5.8 million in civil penalties after the Federal Court found the pathology company breached privacy laws in relation to a February 2022 cyberattack on its Medlab Pathology business that exposed the personal information of more than 223,000 people. It is the first time civil penalties have been imposed under the Privacy Act 1988 (Cth).
Australian Information Commissioner Elizabeth Tydd said the Court’s orders “provide an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold.
“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately.
“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act“.
Justice Halley described the contraventions as “extensive and significant.” The Court imposed:
– $4.2 million for failing to take reasonable steps to protect personal information held on Medlab Pathology’s IT systems, amounting to more than 223,000 contraventions of section 13G(a) via APP 11.1;
– $800,000 for failing to conduct a reasonable and timely assessment of whether an eligible data breach had occurred following the February 2022 cyberattack, in breach of section 26WH(2); and
– $800,000 for failing to prepare and give the Australian Information Commissioner a statement about the breach as soon as practicable, in breach of section 26WK(2).
In his reasons, Justice Halley found:
– ‘ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab Cyberattack, including whether it amounted to an eligible data breach.’
– ‘ACL’s contraventions … resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems’
– ‘ACL’s contravening conduct … had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.’
– ‘the contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.’
His Honour said the penalty was moderated by several factors, including that ‘ACL … cooperated with the investigation undertaken by the office of the Commissioner’, that it had begun ‘a program of works to uplift the company’s cybersecurity capabilities’ which ‘satisfied [his Honour] that these actions demonstrate that ACL has sought, and continues to seek, to take meaningful steps to develop a satisfactory culture of compliance.’ He also took into account the company’s apologies and admissions.
ACL admitted the contraventions, consented to the orders and made joint submissions with the regulator on liability and penalty.
The sanctions were made under the penalty regime in force at the time, which capped penalties at $2.22 million per contravention. A new regime that commenced on 13 December 2022 permits much higher penalties for serious interferences with privacy—up to $50 million, three times the benefit obtained, or 30% of adjusted turnover per contravention—though those provisions did not apply in this case.
Privacy Commissioner Carly Kind said, “Today’s outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament. This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”
The decision is Australian Information Commissioner v Australian Clinical Labs Limited (No2) [2025] FCA 1224. The Office of the Australian Information Commissioner commenced a Commissioner-initiated investigation into ACL in December 2022.
