Federal Court makes first civil penalty orders under Australia’s Privacy Act

On 8 October 2025, the Federal Court ordered Australian Clinical Labs Limited (ACL) to pay a penalty of $5.8 million in relation to a data breach suffered by its Medilab Pathology business which resulted in ACL breaching the Privacy Act 1988 (Cth) (the Act). Although ACL became aware of the cyber-attack in February 2022, the Office of the Australian Information Commissioner (OAIC) and affected individuals were not notified until much later in 2022.[1]

Aside from containing the first civil penalty orders (which were made by consent), the judgment is interesting for the lessons which can be learned. When acquiring a business it is important to ensure that privacy and cybersecurity due diligence is adequate and steps are taken promptly to reduce any cyber risks which are identified. A thorough investigation and assessment of a data breach must be conducted quickly to ensure that affected individuals and the OAIC are notified promptly if the data breach is likely to result in serious harm to those individuals. The judgment also sets out the various factors considered relevant when determining the appropriate penalty amounts.

Background

ACL is listed on the Australian Stock Exchange and is one of Australia’s largest hospital pathology service providers.

Between December 2021 and July 2023, the cyber threat environment for health service businesses like ACL was high as evidenced by targeted cyber-attacks on health businesses in the USA, and the number of Australian health businesses reporting data breaches to the OAIC.

In December 2021, ACL acquired Medilab Pathology Pty Ltd (Medilab), a private pathology business operating in NSW and Queensland providing a range of services including genetic and sexually transmitted disease testing and fertility assessments. ACL’s acquisition included Medilab’s IT systems (hardware, software, equipment and systems). During the due diligence process, which primarily involved the completion of a questionnaire, specific vulnerabilities were not detected. In January 2022, plans were made to integrate Medilab’s IT systems with ALC’s own IT environment by 30 June 2022.

On 25 February 2022, ACL became aware that a malicious actor (the Quantum Group) had attacked part of the Medilab IT system which ACL was operating. On the same date, ACL engaged a third party cyber security firm to investigate and provide advice. On 21 March, ACL determined that the data breach was not notifiable under the notifiable data breach scheme contained in the Privacy Act on the basis that there was no evidence that data had been exfiltrated (so the incident was not likely to result in serious harm to affected individuals which would have made the incident an “eligible date breach” under s26WE of the Act and required to be notified to the OAIC and affected individuals.

A month later, on 25 March 2022, the Australian Cyber Security Centre (ACSC) notified ACL that:

• it had received intelligence that Medilab may have suffered a ransomware incident; and
• ACL may be required to notify the OAIC and affected individuals if the incident was an eligible date breach.

Despite ACL’s conclusion that the data breach was not notifiable, unbeknown to ACL 86 gigabytes of data had been exfiltrated which included health and financial information as well as passport numbers and, by (or on) 16 June 2022, the data had been published on the dark web.

On 16 June 2022, the ACSC sent a second notification to ACL regarding the incident (and intelligence it had received) at which point ACL undertook further internal investigations and obtained external legal advice.

On 10 July 2022 (nearly five months after first becoming aware of the incident), ACL notified the OAIC that it had reasonable grounds to believe that the data breach was notifiable.

Despite notifying the OAIC on 10 July 2022, it was not until 27 October 2022 (more than 3 months later) that ACL:

• provided details of the incident to the ASX (given it had continuous disclosure obligations as a listed company);
• published a statement about the incident on its own website which noted that approximately 223,000 individuals were affected – impacted information included health information, Medicare numbers and credit cards details (including some CCV codes); and
• commenced notifying the affected individuals (despite being aware that the breach was notifiable more than three months prior).

ACL’s contraventions of the Privacy Act

The Federal Court found that ACL had failed to comply with numerous privacy obligations in the Privacy Act and APPs.

• ACL failed to take reasonable steps to ensure its cybersecurity controls for the Medilab business were adequate eg Medilab’s computers used weak antivirus software and authentication measures; the network perimeter was only basic and firewall logging was insufficient. This was a breach of APP 11.1 (a failure to take reasonable steps to protect personal/sensitive information). This failure was also a serious interference with the privacy of more than 223,000 individuals because of the nature of the exfiltrated data and the data being published on the dark web. Each individual whose information was breached was a separate contravention of s13G(a) of the Privacy Act (ie more than 223,000 contraventions). A $4.2 million penalty was ordered for breaching APP 11.1 and s13G(a) of the Act.
• ACL failed to carry out a reasonable and expeditious assessment of the data breach (within 30 days of becoming aware of the breach) to see whether it was an eligible data breach ie a data breach requiring notification to both the OAIC and affected individuals. This was a breach of s26WH(2) of the Act and resulted in a $800,000 penalty. Among other matters, the assessment conducted by its external cyber security firm was not adequate.
• Once ACL had reasonable grounds to believe that the breach was notifiable, it failed to provide the Commissioner with a statement about the eligible data breach as soon as practicable which was a breach of s26WK(2) of the Act and resulted in a $800,00 penalty.

How were the penalty amounts determined?

A civil penalty amount of $5.8 million was considered appropriate after taking into account the following matters:

1. ACL contravened s13G(a) of the Act by breaching APP 11.1(b) at least 223,000 times – each a separate serious interference with an individual’s privacy.
2. The nature and extent of any loss or damage included the exposure of approximately 223,000 individuals to possible emotional distress, identity theft, financial crime and extortion (with the exfiltrated data being published on the dark web).
3. No similar findings had been made by a Court against ACL previously.
4. ACL did not obtain a financial gain or benefit from the breach.
5. While senior management of ACL were involved in the integration of Medilab’s systems with ACL’s systems and ACL’s response to the incident, there was no evidence that the s13G(a) contravention had resulted from any senior management deliberate misconduct.
6. ACL had sought to improve its corporate culture regarding compliance and its remediation process and had undertaken a works program to uplift its cyber security.
7. ACL’s size – it has more than 5,000 employees and its revenue for the 2022/23 financial year was $697 million.
8. ACL co-operated with the OAIC’s investigation providing various written responses and producing approximately 12,000 documents.
9. The CEO apologised in October 2022.

Had the breach occurred after 13 December 2022, the financial consequences for ACL could have been far greater as the Privacy Act was amended to allow the Court to order civil penalties for a single contravention being the greater of $50 million, three times the benefit of the contravention or 30% of a company’s annual turnover.

Action Items

This case is a timely reminder to companies that:

• attention needs to be given to cyber security matters during due diligence, with ongoing focus after an acquisition is completed;
• reasonable steps must be taken to secure personal information at all times;
• if a data breach is suspected, it must be quickly and thoroughly investigated and remediated;
• where a data breach is notifiable, the OAIC and affected individuals must be notified promptly; and
• the penalties for non-compliance can be very substantial.

Companies can now expect far greater penalties for non-compliance.