Federal Court confirms $5.8m penalty against Australian Clinical Labs over data breach

The Federal Court has confirmed Australian Clinical Labs (ACL) must pay a $5.8m civil penalty along with $400,000 in legal costs to settle proceedings commenced by the Australian Information Commissioner (OAIC).[1]

The proceedings arose from the OAIC’s investigation into a cybersecurity attack on Medlab Pathology (Medlab) that exposed personal information relating to approximately 223,000 Australians,[2] which ACL had recently acquired only two months prior.

This matter serves as a pertinent reminder that the OAIC is taking an increasingly active approach to enforcing compliance with the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs), and of the need to ensure your business is ready to handle cybersecurity incidents.

In this article, we step through key takeaways for businesses – particularly given the recently expanded penalty and investigatory powers regime under the Privacy Act.

Key takeaways

Penalties

ACL’s conduct, and the Incident, occurred before the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) came into force. ACL’s civil penalty of $5.8 million was therefore calculated based on the previous maximum penalty of $2.2 million per each contravention of section 13G of the Privacy Act.

APP entities should be aware that the December 2024 amendments to the Privacy Act further expanded penalties under the Privacy Act to introduce a new tiered civil penalty regime, meaning APP entities need not meet the same ‘serious’ threshold to attract the OAIC’s attention.

As a result, conduct similar to ACL’s will likely incur higher penalties going forward. This not only reflects the expanded civil penalty regime, but also the Federal Court’s view that a $5.8 million penalty would have been “manifestly inadequate” but for the fact ACL was in the process of uplifting its cyber security controls (among other things).

Security measures

The Federal Court (and OAIC’s Concise Statement) demonstrate that:

1. the regulator and courts expect businesses to deal with cyber incidents quickly, and to ensure their incident response is rigorous;
2. clear processes are critical to ensuring your business can respond quickly, including when dealing with a threat actor, notifying the regulator, and keeping affected individuals informed of the relevant incident. This includes identifying clear roles and responsibilities in case of an incident, ensuring individuals with the relevant experience and background are appointed to those roles and providing appropriate incident response training, and testing your cyber incident playbook; and
3. there is no one-size-fits all approach to security measures – rather, APP entities should review their protection measures in view of their size, resources, and the nature and volume of personal information they hold (i.e. stronger measures may be required when dealing with high volumes of sensitive information).

The incident

In brief:[3]

1. On 19 December 2021, ACL acquired Medlab, including its computer and communications software.
2. At the time of the acquisition, Medlab processed approximately 1.5 million pathology patient episodes per year and held sensitive information (e.g. health information) relating to more than 100,000 individuals.[4]
3. Shortly after the acquisition of Medlab, on or before 25 February 2022, a threat actor (Quantum Group) exfiltrated approximately 86 gigabytes of data from Medlab’s network (Incident), being personal information of at least 223,000 individuals.
4. Following the Incident, Quantum Group sought a ransom for the return of the information within 48 hours.
5. Medlab did not pay the ransom.
6. The exfiltrated information was subsequently posted to the dark web on or before 16 June 2022.

OAIC investigation

The OAIC commenced an investigation into ACL’s response to the Incident in December 2022, leading to the OAIC commencing civil penalty proceedings against ACL in November 2023 for ‘serious’ interferences with the privacy of an individual under section 13G of the Privacy Act.

In support of this claim, the OAIC referenced breaches of:

1. APP 11.1(b) – which requires APP entities to take reasonable steps to protect personal information from misuse, interference and loss. In particular, the OAIC alleged:
   • Medlab’s network deleted firewall logs after one hour, and did not monitor security alerts; and
   • ACL did not undertake a sufficient risk assessment of its network to ensure it was prepared to manage the Incident.
2. sections 26WH and 26WK of the Privacy Act – which require APP entities to assess whether a data breach is an ‘eligible data breach’ that attracts notifications obligations under the notifiable data breaches scheme. In particular, the OAIC alleged ACL:
   • had “failed to carry out any assessment, or a reasonable assessment” of whether the Incident amounted to an eligible data breach;[5] and
   • should have provided a notification to the OAIC within 2-3 business days of becoming aware of Incident being an eligible data breach (rather than ACL’s 24-day delay).

Noting the breach of APP 11.1(b) related to ACL’s broader customer base, the OAIC alleged that ACL seriously interfered with the privacy of approximately 21.5 million individuals – a risk heightened given the nature of the information held (i.e. including health information).

The OAIC further alleged that ACL’s failures were serious and systemic in nature, in that deficient systems and processes were at the root of ACL’s failure to take reasonable steps. It noted that ACL’s cybersecurity budget at the time of the cyberattack was significantly lower than the OAIC expected in comparison to industry standards, other organisations of ACL’s size, and the nature and volume of health information being held at the time of the Incident.

Federal Court proceedings

ACL advised in an ASX Announcement dated 29 September 2025, that it had reached an agreement with the OAIC to resolve proceedings, subject to Federal Court approval. This included agreement as to a statement of agreed facts and admissions, and proposed penalties.

The Federal Court’s 9 October 2025 judgement confirmed ACL contravened each provision alleged by the OAIC, finding:

1. The incident was ‘serious’ – this was determined having regard to “the nature and volume of the personal information, including sensitive health information” held on Medlab’s systems.[6] It would also impact public trust in institutions holding sensitive information;[7]
2. ACL engaged in separate contraventions – each of the 223,000 affected individuals reflected a separate contravention of section 13G(a) of the Privacy Act, with breaches in respect of the NDB Scheme each being a further contravention.[8] However, the 223,000 arose from a single course of conduct, suggesting a more limited penalty was appropriate;[9]
3. ACL failed to act with “sufficient care and diligence” in managing the risk of a cyber attack – ACL’s playbooks were inadequate, failing to clearly define roles and responsibilities and planned communications, be regularly tested, appoint appropriately experienced individuals to key roles (or otherwise provide training to them), or implement key technical security measures (including technical data loss prevention and incident detection measures, and application whitelisting);[10]
4. ACL implemented only limited security monitoring capabilities – citing the above example of firewall logs only being retained for 1 hour; and[11]
5. ACL should have taken further steps to assess if the Incident was an eligible data breach – citing the court’s view that:
   • ACL’s review of the incident was inadequate (e.g. assessing only 3 of at least 127 devices affected by the Incident), and failed to consider whether data was likely to have been exfiltrated;[12] and
   • ACL ought (as it admitted) to have been able to have prepared a statement to the OAIC within 2-3 days of becoming aware of the exfiltrated information being published on the dark web, noting this also interfered with regulators ability to support responses to the incident.[13]

The Federal Court also confirmed the parties agreed position regarding penalties, requiring ACL to pay a civil penalty of $5.8 million, and $400,000 in the OAIC’s legal costs.

In doing so, the Court noted that such a penalty would have been “manifestly inadequate” but for the fact that ACL (among other things) was in the process of reviewing its cyber security practices and did not otherwise have a history of non-compliance.

New penalties

December 2024 amendments to the Privacy Act have substantially expanded the scope of civil penalties for ‘serious’ interferences with privacy and introduced a new tiered civil penalty regime. APP entities now need not meet the same ‘serious’ threshold to attract the OAIC’s attention.

Rather, the following penalties can now apply:

Coupled with a new mandatory ransomware reporting regime under Australia’s Cyber Security Act 2024 (Cth) (see our previous article here), and enhanced requirements under the Privacy Act to have both technical and organisation security measures in place to protect personal information, privacy and cyber compliance is assessed against a significantly more rigorous standard in 2025, than at the time of the Incident.

Our team regularly supports clients in preparing for and responding to a range of privacy and cyber security incidents. Please do not hesitate to get in touch if you would like to discuss how best to manage these risks.

Authored by:

Dudley Kneller,  Partner
Raisa Blanco, Special Counsel
Chris Girardi, Associate
Tilly Dalton, Graduate

[1] Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 [140]-[141].

[2] [2025] FCA 1224 [74]; OAIC Concise Statement [50].

[3] [2025] FCA 1224 [8]-[39]

[4] OAIC Concise Statement [7].

[5] OAIC Concise Statement [38].

[6] [2025] FCA 1224 [58]

[7] [2025] FCA 1224 [126]

[8] [2025] FCA 1224 [60], [80] & [92]

[9] [2025] FCA 1224 [137]

[10] [2025] FCA 1224 [53]

[11] [2025] FCA 1224 [53]

[12] [2025] FCA 1224 [74]-[79]

[13] [2025] FCA 1224 [89]-[91]