The parent company of a pathology laboratory has been ordered to pay $5.8 million in civil penalties for inadequately protecting patient data, in the first case brought under the Commonwealth Privacy Act.
The Federal Court found that Australian Clinical Labs (ACL) breached privacy law after a cyberattack on its Medlab Pathology business in 2022 led to the unauthorised access and theft of personal information belonging to more than 223,000 people.
The largest part of the penalty—$4.2 million—was for failing to take reasonable steps to protect the personal information.
A further $800,000 was imposed for failing to make a “reasonable and expeditious assessment” of whether the breach had occurred, and another $800,000 for not reporting the incident to the Australian Information Commissioner promptly.
The February 2022 ransomware attack, carried out by a malicious group known as Quantum, saw about 86 gigabytes of data stolen and published on the dark web four months later.
The commissioner was only notified in July 2022, while the public was informed three months later.
Justice John Halley said the company had operated in “a high cyber threat landscape” but failed to identify vulnerabilities in Medlab’s IT systems when it acquired the company for $70 million in December 2021.
He described the privacy law breaches as “extensive and significant.”
“I am satisfied that the contraventions, given the nature of the information posted on the dark web, had at least the potential to cause significant harm to individuals whose information had been exfiltrated,” he wrote.
Officials Welcome Penalties
Australian Information Commissioner Elizabeth Tydd welcomed the Court’s orders, saying the ruling was an important reminder to all organisations holding personal data.“These orders represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches,” she said.
Privacy Commissioner Carly Kind called the judgement a “turning point” for the enforcement of privacy law in Australia.
“This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy,” she said.
Matthew Warren, director of the RMIT Centre for Cyber Security Research and Innovation, told AAP the decision was a wake-up call for businesses to treat cybersecurity as a core risk, not merely a technology issue.
“The government’s going to start holding companies to account when they fail in this duty of care,” Professor Warren said.
In an ASX announcement in September, the firm apologised again to customers and employees who were impacted.
“While the Medlab Cyberattack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance, and continuously improving our cybersecurity systems and controls,” the company wrote.
The penalties were imposed under the Privacy Act provisions in force at the time, which set a maximum penalty of $2.22 million per contravention.
New rules, which came into force on Dec. 13, 2022, increased the maximum penalty to $50 million or 30 percent of annual turnover.







