The Federal Court has imposed a $5.8 million penalty on Australian Clinical Labs Limited (ACL) for serious breaches of the Privacy Act 1988 (Cth) (Privacy Act) following a cyberattack that exposed sensitive data of over 223,000 individuals. This ruling sets a historic benchmark as the Privacy Act’s first civil penalty enforcement.
Background
ACL acquired Medlab Pathology Pty Ltd (Medlab) in December 2021, inheriting its IT systems. In February 2022, a ransomware attack by the Quantum Group compromised these systems, resulting in 86 gigabytes of personal and health information being exfiltrated and later published on the dark web. The stolen data included health records, passport numbers, and financial information.
Court’s findings
Justice Halley found ACL breached Australian Privacy Principle (APP) 11.1, which requires entities to take reasonable steps to protect personal information from unauthorised access or disclosure. ACL failed to identify and address critical cybersecurity vulnerabilities in Medlab’s systems, including outdated software, weak authentication, and inadequate incident response protocols.
The Court also held ACL contravened sections 26WH and 26WK of the Privacy Act by failing to conduct a timely assessment of the breach and delaying notification to the Australian Information Commissioner (Commissioner). These failures were deemed ‘serious contraventions’, given the sensitivity of the data and the potential harm to affected individuals.
Penalty and implications
ACL was ordered to pay:
- $4.2 million for breaches of APP 11.1;
- $800,000 for failing to assess the breach; and
- $800,000 for failing to notify the Commissioner, plus $400,000 towards the regulator’s costs.
Justice Halley noted that the penalty reflects the seriousness of ACL’s breaches and serves as a clear warning to entities handling personal information. The Court highlighted that organisations must take reasonable steps to secure sensitive data and respond promptly to incidents. Failures in oversight, particularly at the senior management level, can attract significant consequences, and mishandling personal information risks both regulatory action and reputational damage.
Why it matters
This ruling makes it clear that the Commissioner will take privacy breaches seriously, including cases where reporting is delayed, or cybersecurity is weak.
For organisations handling personal or health information, this means:
- the board and executives must actively oversee data protection;
- incident response and breach notification processes must be tested and ready; and
- IT systems and vendor arrangements should be regularly reviewed for vulnerabilities.
Failure to act not only risks penalties but can also damage reputation and stakeholder trust. Businesses that take privacy seriously, rather than treating it as a compliance formality, will be in a stronger position to avoid regulatory and commercial consequences.
This article was written with assistance from Adrika Dhawan, Paralegal.
