In late September 2025, Australian Clinical Labs (ACL) and the Office of the Australian Information Commissioner (OAIC) reached an agreement on a civil penalty to bring proceedings brought by the Australian Information Commissioner (Commissioner) against ACL in relation to a 2022 cyberattack which resulted in a data breach impacting 223,000 individuals to an end. This week, the Federal Court approved the proposed civil penalty, ordering ACL to pay a $5.8million penalty and contribute a further $400,000 to the OAIC’s legal costs.
This is a groundbreaking judgment, as it is the first civil penalty ordered by the Federal Court in the history of the Privacy Act 1988 (Cth) (Privacy Act) and provides long-awaited judicial consideration of several key provisions which may be enlivened in the event of a cyber incident.
It also serves as a timely reminder to organisations on the importance of investing in cybersecurity and cyber incident preparedness, and a cautionary tale of why privacy and cyber risks should be identified and carefully managed in connection with M&A transactions.
What happened?
In December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (MedLab). MedLab was a privately owned pathology business operating in New South Wales and Queensland, which provided and facilitated health services. At the time of ACL’s acquisition of MedLab’s assets, MedLab collected and held individuals’ personal information and sensitive information in connection with its services, which included prenatal genetic testing, fertility assessments and testing for sexually transmitted diseases. This information included health information, contact information, credit card information and payment details.
A few months later, in February 2022, a cyber attack on the Medlab information technology (IT) systems, as well as various cybersecurity deficiencies, led to a data breach impacting approximately 223,000 Australians. Varying combinations of health information, contact information and credit and Medicare card numbers were exposed.
Soon after the cyberattack, ACL instructed a third party service provider to investigate, respond to, and provide advice in relation to the cyberattack. However, for the reasons laid out in the Court’s judgment, this investigation and ACL’s subsequent response was significantly lacking.
On 16 June 2022, the Australia Cyber Security Centre contacted ACL to inform them that approximately 80 gigabytes (later found to be 86 gigabytes) of data from the MedLab IT systems had been published on the dark web. ACL notified the Commissioner on 10 July 2022 of the cyberattack and data breach. Then, a further three months later, ACL notified and apologised to the public by way of an ASX announcement and a publication on its website.
On 2 November 2023, the Commissioner commenced civil penalty proceedings against ACL seeking declarations that ACL breached section 13G(a) of the Privacy Act for:
- serious and repeated failures to take reasonable steps to protect 223,000 individuals’ personal information held on the relevant Medlab IT systems in breach of Australian Privacy Principle (APP) 11.1(b);
- failure to carry out a reasonable and expeditious assessment of whether there were reasonable grounds to believe the cyberattack amounted to an ‘eligible data breach’ in breach of section 26WH(2); and
- failure to notify the Commissioner as soon as practicable of the ’eligible data breach’ in breach of section 26WK(2).
This week, the Federal Court ordered ACL to pay a $5.8million penalty, which was made up of the following:
- $4.2 million for failing to take reasonable steps to protect the personal information of the 223,000 individuals impacted by the data breach;
- $800,000 for failing to carry out a reasonable and expeditious assessment of whether the cyberattack amounted to an ‘eligible data breach’; and
- $800,000 for failing to notify the Commissioner, as soon as practicable, about the ‘eligible data breach’.
So what?
The judgment is significant because it:
- demonstrates that the Court will take into consideration a set of well-established principles and factors in Australia when determining civil penalties under the Privacy Act, regardless of the headline grabbing theoretical maximum civil penalty – a different set of facts may result in a very different civil penalty outcome;
- provides helpful clarification of how ‘reasonable steps’ are likely to be interpreted in the context of APP 11 (security of personal information) and the steps organisations can take to mitigate civil penalty risks following a cyber incident;
- confirms that organisations cannot delegate their duties in relation to investigating and responding to a potential data breach to their third party service providers – accountability remains with the organisation;
- paints a cautionary tale of the importance of privacy and cyber due diligence and risk management in M&A transactions and subsequent integration activities, especially in high risk settings;
- highlights the heightened data security risks and importance of privacy and cyber security for organisations involved in the life sciences sector, where sensitive health data is used heavily across the full spectrum of diagnostics, health care providers, research and clinical trials; and
- shows the increased appetite of the OAIC to pursue civil penalty enforcement actions for serious contraventions of the Privacy Act.
It is important to note that ACL’s data breach occurred prior to the significant increase in the civil penalties for serious or repeated interferences with privacy under the Privacy Act in December 2022 and the first tranche of reforms to the Privacy Act in December 2024. So, with civil penalty proceedings still on foot against Medibank and Optus, privacy enforcement on the agenda and further privacy reforms expected, organisations should be paying attention.
If you need help, please reach out to our team. From mergers and acquisitions, privacy compliance and data governance to cyber risk, commercial contracting, incident response, regulatory engagement and litigation, McCullough Robertson offers the full service of expert privacy guidance for you and your organisation and can deliver practical solutions and assist our clients stay ahead of and respond to the evolving regulatory landscape.
