22/10/2025
The Federal Court recently ordered Australian Clinical Labs (ACL) pay $5.8 million in civil penalties following a mishandled ransomware attack in 2022. As noted by Privacy Commissioner Carly Kind, “for the first time, a regulated entity has been subject to civil penalties under the Privacy Act…”
On 25 February 2022, Medlab Pathology, now a part of ACL, was impacted by a ransomware attack that resulted in 86 gigabytes of data being compromised and published on the dark web.
More than 223,000 patients and staff had names, pathology results, credit card numbers and Medicare numbers released. The existence of this breach was publicly announced by ACL in October of 2022.
The penalty was determined under the previous penalty regime. Following the 2022 amendment to the Privacy Act 1988 (Cth), the maximum penalty has increased from $2.22 million per contravention to either $50 million; three times the benefit derived from the contravention; or 30% of the of annual turnover per contravention.
Key findings
The Federal Court found that ACL failed to:
- take reasonable steps to protect the personal information it held;
- conduct a reasonable assessment of whether the incident constituted an eligible data breach for the purposes of the eligible data breach scheme; and
- notify the Office of Information Commissioners (OAIC) when it became aware that there are reasonable grounds to believe that there had been an eligible data breach.
Takeaways
Australian Privacy Principle (APP) 11.1 requires organisations and agencies to take reasonable steps to protect the personal information they hold from unauthorised access, modification or disclosure. What is required by ‘reasonable steps’ has not always been clear. This recent ruling has provided entities with clarity on what is expected of them.
In particular, we have learned:
- entities need to have clear plans outlining how they will respond to data breaches, including cyber incidents. They also need to ensure that everyone involved in that plan possesses the skills and training to effectively carryout their role. Organisations and agencies also need to test their plans to make sure they continue to be effective.
- when acquiring new entities, organisations should undertake their own due diligence checks to confirm the new entity has sufficient cyber security protections in place.
- it is dangerous to rely too heavily on third party security consultants to detect and respond to cyber security incidents. This means when receiving assessments, it is important to ask questions, know the consultants’ methods, and ask if, based on the circumstances, the consultants have done enough.
- entities need to maintain modern cyber security best practice by implementing appropriate:
- data loss prevention measures;
- suitable antivirus software;
- application whitelisting;
- user behaviour monitoring;
- staff training;
- multifactor authentication;
- maintaining access logs.
This case is the first of a number of 2022 data breaches cases to reach a resolution. Currently OAIC is pursing both the Medibank and Optus data breaches.
For more detailed information, the Federal Court decision is available here: Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224