The Federal Court of Australia has ordered the first civil penalty under the Privacy Act 1988 (Cth) against Australian Clinical Labs Limited (ACL) totalling $5.8 million, plus an order for ACL to pay $400,000 in costs, as a result of a data breach that Medlab Pathology Pty Ltd (Medlab) suffered in February 2022.

This is the first civil penalty proceeding brought by the Australian Information Commissioner (Commissioner) in the history of the Privacy Act.

Although the civil penalties awarded in this case do not reflect the increased penalty provisions which came into effect in December 2024, this case marks the beginning of a new wave of litigation for failures of large Australian companies to adequately respond and prevent data breaches.

The key facts you need to know:

• ACL acquired the Medlab assets (including its IT systems) on 19 December 2021.

• On 25 February 2022, threat actors, ‘Quantum Group’, launched a ransomware attack against Medlab’s IT systems (Medlab Cyberattack). This included a ransom note threatening to publish Medlab’s data within 48 hours.

• The Medlab Cyberattack resulted in the exfiltration of 86GB of data, including personal and sensitive health information.

• ACL instructed StickmanCyber to investigate on the same day. StickmanCyber had been ACL’s third-party cybersecurity services provider since February 2021, providing general services in relation to ACL’s IT environment and cybersecurity processes and controls.

• On 1 March 2022 (four days later), StickmanCyber ceased investigating whether there had been any exfiltration of data as a result of the Medlab Cyberattack, with the last dark web scan being conducted on that day.

• On 2 March 2022, StickmanCyber provided ACL with an “Incident Summary Report” summarising its findings and conclusions, stating that the “Root Cause” computer was infected, and “TSsel.exe was executed” by:

(a) spreading across the network;

(b) adding “attribute .quantum” to all readable files; and

(c) encrypting all “.quantum” files.

• Based on the analysis conducted and the advice provided by StickmanCyber, ACL determined on 21 March 2022 that the Medlab Cyberattack was not an eligible data breach within the meaning of section 26WE of the Privacy Act.

• On 25 March 2022, the Australian Cyber Security Centre (ACSC) contacted ACL, advising them that they had received intelligence from a trusted third party that it may have been the victim of a ransomware incident and that it may be required to notify the OAIC and impacted individuals.

• On 16 June 2022, the Quantum Group published 86GB of data on the dark web, which the ACSC notified ACL of and previously warned ACL of.

On 2 November 2023, the Commissioner commenced proceedings in the Federal Court seeking orders that ACL had breached section 13G(a) of the Privacy Act by failing to:

• take reasonable steps to protect individuals’ personal information that it held over the period from 26 May 2021 to 29 September 2022, in breach of APP 11.1(b); and

• conduct a reasonable assessment of whether the Medlab Cyberattack constituted an “eligible data breach” and then failing to notify the Commissioner as soon as practicable, in contravention of section 26WH(2) and section 26WK(2) of the Privacy Act.

Section 13 of the Privacy Act relevantly provides:

13 Interferences with privacy

APP entities

(1) An act or practice of an APP entity is an interference with the privacy of an individual if:

(a) the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual…

Under Schedule 1 of the Privacy Act, there are 13 legally binding Australian Privacy Principles (APPs). Specifically, APP 11 requires an APP entity that holds “personal information” to take “such steps as are reasonable in the circumstances” to protect personal information from “unauthorised access, modification or disclosure”.

At the time the proceedings were commenced, the old civil penalties applied whereby penalties could be awarded by the Court up to $2.22 million for each contravention of section 13G of the Privacy Act, which provides:

13G Serious and repeated interferences with privacy

An entity contravenes this subsection if:

(a) the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or

(b) the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

As part of the December 2024 amendments to the Privacy Act, new civil penalty provisions were introduced, and existing penalties were increased considerably.

The new maximum penalty under section 13G of the Privacy Act is now $2.5 million for a non-body corporate, and for a body corporate, either:

• $50 million;

• if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit; and

• if a court cannot determine the value of that benefit, the penalty is 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

As ACL's conduct in issue occurred before the commencement of the updated penalty provisions, the above increased civil penalty provisions did not apply.

Justice Halley ordered that within 30 days ACL is to pay to the Australian government a civil penalty of $5.8 million, comprised of:

• $4.2 million in contravention of APP 11.1(b);

• $800,000 in contravention of section 26WH(2) of the Privacy Act; and

• $800,000 in contravention of section 26WK(2) of the Privacy Act.

In addition, ACL was ordered to pay to the Commissioner a contribution of $400,000 towards the Commissioner’s costs in the proceeding.

Justice Halley ultimately found that:

• there had been an “eligible data breach” per section 26WE of the Privacy Act, and as a result, ACL did not notify the impacted individuals within the required 30 days per section 26WH(2) of the Privacy Act nor provide the required statement under section 26WK(3);

• ACL did not take “such steps as are reasonable in the circumstances” to protect the personal information held on the Medlab IT Systems from “unauthorised access” and “unauthorised disclosure” in breach of APP 11(b);

• there were approximately 223,000 contraventions of section 13G(a) arising from the breach by ACL of APP 11.1(b), as the Privacy Act is directed at the “protection of the privacy of individuals”; and

• “in aggregate, the agreed penalty of $5.8 million is appropriate in all the circumstances”.

It was for the following principal reasons that Justice Halley was satisfied that the penalties should be ordered:

1. At the time ACL acquired Medlab, Medlab’s IT Systems were deficient in cyber security and ACL failed to identify these deficiencies and remediate those deficiencies at the time, which ultimately left Medlab vulnerable to a cyberattack;

2. ACL’s contraventions resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems, including the overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents;

3. the risk of harm to individuals given the volume and nature of the sensitive personal information held by ACL, including financial harm, distress or psychological harm and material inconvenience;

4. the contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals, identifying and reporting data breaches;

5. ACL is one of Australia’s largest private hospital pathology businesses. It was operating in a high cyber threat landscape with a significant cyber risk profile and ACL was aware of that fact; and

6. ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab Cyberattack, including whether it amounted to an eligible data breach.

The Court considered whether the penalty of $5.8 million was appropriate when balanced to other relevant factors in the matter including:

1. ACL did not derive financial gain or benefit from the contraventions;

2. ACL has not previously contravened the Act or engaged in any similar conduct;

3. the contraventions were not deliberate;

4. ACL demonstrated it sought, and continues to seek, to take meaningful steps to develop a satisfactory culture of compliance;

5. ACL cooperated with the investigation undertaken by the Commissioner;

6. following the commencement of the proceeding, ACL admitted the contraventions;

7. ACL’s CEO apologised for the Medlab Cyberattack in its ASX announcement; and

8. the contraventions arose from a single course of conduct (i.e. deficient IT Systems).

As outlined by Justice Halley in the judgment, and admitted to by ACL, ACL’s ability to detect and respond to cyber incidents was deficient. The below list (which we source from the judgment) should be referred to by your business as a guide:

1. Cyber incidents playbooks should not lack clear definitions of roles and responsibilities for incident response efforts. They should provide detail on containment and mitigation processes for cyber incidents.

2. Businesses should have adequate testing of incident management processes.

3. There should be adequate tools to detect or prevent the theft of personal information and data held on those systems.

4. There should be adequate tools that could perform behavioural-based analysis to detect malicious actions that might be undetected by an antivirus product.

5. Whitelisting should be in place to prevent unknown or unauthorised applications from running on computers.

6. There should be adaptable communications plans.

7. Your IT team lead should see, use or receive training on the playbooks provided.

8. Logging should be sufficient to enable security monitoring and investigation.

9. There should be specific data recovery plans developed.

10. Staff should not be required to use multifactor identification.

If your organisation is concerned about data protection, cyber risk, or compliance with the Privacy Act, now is the time to act. Reach out to the Technology & Data team for guidance on best practices, incident response, and strengthening your cyber resilience.