Australian Clinical Labs: Australia's First Civil Penalty Of $5.8 Million Under Privacy Laws

On 29 September 2025, Australian Clinical Labs (ACL) and the OAIC informed the Federal Court of Australia that they had reached agreement on a $5.8 million penalty arising from ACL's 2022 data breach involving the personal information of 223,000+ Medlab customers, supported by a Statement of Agreed Facts and Admissions (SAFA).

On 8 October 2025, Justice Halley ordered the agreed penalty, making this the first civil penalty under the Privacy Act. The judgment, including the SAFA, are here.

The decision emphasises the importance of:

• understanding cybersecurity risks of targets in appropriate pre-acquisition due diligence, and ensuring that they are sufficiently addressed in the post-acquisition phase.
• having adequate incident response tools (technical tools and organisational tools such as incident response plans) in place which are properly tested in advance – large organisations cannot simply "outsource" incident response to third party advisors.
• ensuring expeditious and reasonable investigation and notification of the Privacy Commissioner where there is an eligible data breach. In this case, a notification delay of a few weeks' after there was a sufficient basis for considering an eligible data breach had arisen amounted to a serious interference with privacy.

The recent judgment demonstrates the Commissioner's intention to pursue penalties in relation to privacy breaches and incident response deficiencies. Following the judgment, the Privacy Commissioner noted that "this should serve as a vivid reminder to entities, particularly providers operating within Australia's healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold." ¹

The OAIC has two further civil penalty proceedings against companies arising from significant 2022 data breaches. As with ACL, any penalties imposed in these cases will occur under the prior regime which provided for a maximum of $2.22 million per contravention. The current penalty regime (which took effect from 13 December 2022) provides for maximum penalties of up to $50 million.

1. Overview of incident

In December 2021, ACL (a listed entity and one of Australia's largest private hospital pathology businesses) acquired Medlab, a privately owned pathology business with services in New South Wales and Queensland.

On 25 February 2022, prior to Medlab's IT systems becoming integrated with ACL's, an actor known as the Quantum Group attacked Medlab's servers. responsible for various functions, including storing user profiles, processing patient data, and creating and distributing Medlab's reports. ACL instructed a third-party cybersecurity firm, StickmanCyber, to investigate and respond to the incident, but that investigation failed to detect any data exfiltration.

Following notifications from the Australian Cyber Security Centre (ACSC), ACL later identified that sensitive data from over 223,000 individuals was published on the dark web, including financial details, tax file numbers, ID information, contact and health information.

2. How was the penalty calculated?

Last week's judgment imposed the agreed penalty of $5.8 million comprising:

• $4.2 million for failing to take reasonable steps to protect the personal information of Medlab customers from unauthorised access, modification or disclosure (in contravention of APP 11.1(b)).
• $800,000 for failing to conduct a reasonable and expeditious assessment of whether there were reasonable grounds to believe that an eligible data breach (EDB) had occurred (in contravention of s 26WH(2) of the Privacy Act); and
• $800,000 for failing to prepare and give to the Commissioner, as soon as reasonably practicable, a statement about the breach (in contravention of s 26WK(2) of the Privacy Act).

The Court found that the $5.8 million agreed penalty was within the range of permissible penalties and would send an appropriate deterrence signal to the healthcare sector, in circumstances where this was the first civil penalty under the Privacy Act.

However, the Court noted that the $5.8 million would have been manifestly inadequate to achieve specific and general deterrence (as required), absent a range of ameliorating factors. Those ameliorating factors included:

• ACL taking meaningful steps to uplift its cybersecurity processes and controls prior to the cyberattack
• ACL's cooperation in the investigation and admissions.
• The breaches of APP 11.1(b) arising from a single course of conduct.

3. What constitutes reasonable steps under APP 11.1(b)?

APP 11.1(b) requires APP entities to take such steps as are reasonable in the circumstances to protect personal information from unauthorised access, modification or disclosure.

The judgment is the first to provide guidance on how "reasonable steps" should be assessed under APP 11.1(b). The Court was informed by judicial consideration of the same concepts in the Corporations Act:

• It is an objective standard, informed by the circumstances, including the:
  • sensitivity and volume of information
  • potential harm if the information was accessed or disclosed
  • size and sophistication of the entity
  • prevailing cyber threat environment
• It is not capable of being discharged simply by delegating / outsourcing the required steps to a third party without doing anything more.
• A wholistic analysis is required of the entity's full framework of systems, policies and procedures.
• Perfection is not required. An entity is not required to identify and take "all possible" or "optimal" steps. Rather, the assessment focuses on whether the steps taken in their totality were reasonable.

The finding of ACL's breach was based on:

1. The nature and size of its business
2. The sensitive nature and volume of information it held
3. The high cybersecurity risks it faced and risk of harm to individuals.
4. ACL's failure to identify and respond to deficiencies in Medlab's IT systems pre- and post-acquisition. For example:
   1. In pre-acquisition due diligence, ACL was aware that Medlab did not have sophisticated IT and cybersecurity processes in place, and had not conducted audits or vulnerability or penetration testing in the preceding three years.
   2. The due diligence had failed to identify critical weaknesses in Medlab's IT systems, including outdated software, lack of file encryption and insufficient firewalls and antivirus protection.
   3. The cyber incident occurred during the 6 month period in which ACL was integrating Medlab's IT systems into its core IT environment. ACL was aware that Medlab's systems were immature in terms of their cybersecurity controls, and were therefore exposed to heightened cybersecurity risks.
      
5. ACL's over-reliance on external service providers, including the third-party cybersecurity firm whose investigation failed to detect data exfiltration.
   
6. Deficiencies in its cyberattack response capabilities, including:
   1. ACL's playbooks were overly generalised, with limited detail on containment. They did not clearly define roles and responsibilities, and there were limited communications plans.
   2. ACL's incident management processes were inadequate and had not been tested during the 2-month period between the completion of the acquisition and the date of the cyberattack. Medlab personnel managing the initial response had not received training on, or seen, the playbook.
   3. ACL had inadequate technology controls and tools for detecting malicious activity, including:
      • endpoint and response tooling
      • application whitelisting
      • security monitoring
      • data recovery plans
      • effective antivirus software
      • adequate authentication measures
      • file encryption
      • systems which could support up to date Microsoft software
      • use of multifactor authentication for Medlab's VPN.

4. What is a "serious" interference with privacy?

In order for the highest tier of civil penalty to be imposed (following reforms of the Privacy Act in 2024), there must be a "serious" interference with privacy under s 13G.

What is serious is not defined in the Privacy Act, although relevant factors are outlined in the Privacy Act.

The Court held that a serious contravention is one that is "grave or significant", determined by the degree of departure from the required standard of care and the nature of the conduct, rather than the nature of the provision that has been contravened.

The serious threshold was met in this case, by reference to a range of matters which "significantly heightened the risk" that the personal information would be exposed to unauthorised access. This included: the nature and volume of the information impacted, Medlab's IT and response deficiencies, ACL's reliance on a third-party cybersecurity services provider.

5. How many serious interferences were there?

The Court was satisfied that there was a separate contravention of s 13G(1)(a) for each individual impacted (over 223,000), and not one contravention. This was based on the text of the provision, and the agreed position in the SAFA.

However, as outlined above, in considering the appropriate penalty for these breaches, the Court approached the exercise based on there being one course of conduct which led to the breaches.

6. What is required in relation to the assessment of an eligible data breach?

In relation to the assessment obligation under s 26WH(2), the Court made the following key observations:

• By 2 March 2022, ACL had subjective knowledge of circumstances that were objectively sufficient to establish a suspicion that there may have been unauthorised access to personal information and that such access would be likely to result in serious harm to any of the impacted individuals.
• ACL was aware of the insufficiency of StickymanCyber's assessment, which only monitored some of the computers subject to ransomware and did not investigate the Quantum Group's attack traits to determine whether data was likely to have been exfiltrated. Having regard to these and other limitations, it was unreasonable for ACL to rely solely on StickmanCyber's advice.
• The contravention was also found to be serious, having regard to certain relevant to the breach of APP 11.1(b), but also the fact that the breach delayed the Commissioner's ability to perform her statutory functions of monitoring ACL's notifications to affected individuals.

7. What is required in relation to notification as soon as practicable?

In relation to the notification obligation under s 26WK(2), the Court made the following key observations:

• On 16 June 2022, the ACSC notified ACL that potentially 80 gigabytes of Medlab data had been published on the dark web by the Quantum Group.
• By this date, ACL had reasonable grounds to believe that there had been an EDB, and its obligation to notify the Commissioner as soon as practicable was engaged. While "practicable" is not defined in the Privacy Act, the Court noted that the information required to be included in a notification is not particularly onerous and is intended to facilitate a notification being made "as soon as practicable" after an entity becomes aware of reasonable grounds to believe that there has been an EDB.
• ACL did not notify until 10 July 2022. To comply, it should have notified within 2-3 days of 16 June 2022.
• This breach was serious for similar reasons as relevant to the breach of s 26WH(2).

Footnote

1. https://www.oaic.gov.au/news/media-centre/australian-clinical-labs-ordered-to-pay-penalties-in-relation-to-medlab-pathology-data-breach-in-first-for-privacy-act

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.