Australian Information Commissioner v Australian Clinical Labs: first civil penalty under the Privacy Act

The Federal Court’s judgment in Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224, marks a watershed moment for Australian privacy compliance. 

In 2022, Australian Clinical Labs Limited (ACL) suffered a ransomware attack on IT assets it had acquired from Medlab Pathology Pty Ltd (Medlab) just three months earlier. That attack led to the disclosure of highly sensitive data (including health data) belonging to more than 223,000 individuals. As a result, ACL was ordered to pay $5.8 million for contraventions of the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Act). 

It is the first time a court has considered APP 11.1(b) and the Act’s notifiable data breach and penalty regimes. Critically, it provides examples of the technical and organisational steps businesses may need to take to secure personal information to the standard required by the Act. 

However, as the Court made its determinations based on an agreed statement of facts and admissions (SAFA), the judgment focuses on confirming the appropriateness of the agreed admissions and penalties proposed in the SAFA, rather than providing broader commentary on the requirements of APP 11. While useful, the Court’s findings must therefore be understood within ACL’s specific circumstances. The ongoing Optus proceedings (discussed in Navigating Australia’s evolving cyber regulatory landscape) should provide further guidance on these provisions. 

In this article, we explore the judgment’s key practical takeaways and break down the legal considerations. 

Know your privacy risk exposure

An entity’s obligation to take reasonable steps to protect personal information under APP 11 will be assessed as what a reasonable person would do in the entity’s particular ‘circumstances’. That means the level of care required will change depending on the entity’s risk exposure and capability. For example, because of ACL’s size and sophistication, the volume and sensitivity of the information that it held, and the 'high cyber risk landscape' in which it operated, a higher standard of protection was required.

Businesses should conduct regular stocktakes of their privacy risk exposure, and ensure their policies, controls, and systems are tailored appropriately to that level of risk. We also recommend businesses have regard to expert reports on the broader risk environment for their sector.

Conduct adequate privacy and cyber diligence in transactions

ACL failed to identify certain technical security deficiencies in Medlab’s assets during acquisition due diligence. This failure contributed to a finding that ACL had not adequately protected the personal information in its control. Where an acquisition target presents high privacy compliance risks (e.g. because the target holds highly sensitive information), the acquiring business must consider whether in-depth technical due diligence is required. This may include penetration testing, vulnerability assessments, and detailed reviews of IT infrastructure. Where deficiencies are identified, acquirers must have clear plans to remediate the issues (ideally prior to completion of the transaction) or ensure adequate interim protections are in place during any integration period. Good legal advice will identify the potential regulatory risks of an acquisition, and technical due diligence can then focus on ensuring those risks are addressed.

Develop appropriate cyber incident playbooks and ensure staff are trained on them

ACL used deficient cyber incident response plans and playbooks when responding to the incident. The staff responding to the breach had not seen or been trained on those playbooks. Together, those failures meant ACL could not adequately contain or respond to the data breach. Legal and technical teams should work closely to develop incident response plans. Plans must:

• be detailed;
   
• clearly define roles and responsibilities for the response;
   
• contain concrete steps for containing a data exfiltration attempt;
   
• reflect the technology used in the business; and
   
• include processes for communicating with key stakeholders (e.g. affected individuals, regulators, and management). 

Staff must be trained on those playbooks.

Avoid over-reliance on third parties for data breach investigations and responses

ACL engaged a service provider to investigate the incident. That investigation was inadequately limited in scope, but ACL relied on the findings to conclude (incorrectly) that notification to the Office of the Australian Information Commissioner (OAIC) was not required. The Court found ACL was over-reliant on its service provider, lacked adequate capability to respond itself, and should have known the investigation’s scope was insufficient. The Court provided limited guidance on when reliance on experts will be inappropriate. Until a court provides further guidance, businesses should carefully consider which parts of an incident response can be outsourced, and which need to be managed internally. Businesses must maintain in-house response capability that reflects their sophistication and risk exposure. Businesses must also be prepared to interrogate the scope and sufficiency of a third-party breach investigation before relying on its findings to determine whether regulatory obligations are triggered.

Notify data breaches promptly 

Once ACL was aware that an eligible data breach had occurred, it needed to submit a notification as ‘soon as practicable’. The Court held that it should have notified within two to three days. Instead, ACL sought further legal advice and did not notify until almost a month later. Businesses should have procedures in place to ensure notification is given promptly, including by engaging legal advisors as early as possible. Importantly, businesses should not delay notification to conduct exhaustive investigations into every detail of the breach. The initial notification requirements are deliberately streamlined to enable prompt reporting, even where limited information on the breach is available. 

Penalties for serious data breaches are substantial

By breaching APP 11, ACL was held to have committed over 223,000 ‘serious interferences with the privacy of an individual’ – one contravention for each individual affected by the breach. Under the penalty regime applicable at the time of the incident, the maximum penalty for those contraventions was $495 billion (at $2.2 million per contravention). Those penalties have since increased. Now, courts can award a maximum penalty of $50 million, three times the value of any benefit obtained from the contravention, or 30% of the entity’s turnover during the breach period per contravention.

Timeline of the data breach

ACL’s acquisition of Medlab

ACL is one of Australia’s largest private pathology providers. On 19 December 2021, ACL acquired the assets of Medlab. Those assets included Medlab’s IT systems and large volumes of patient health, contact, credit and payment information. Medlab’s IT systems contained cybersecurity deficiencies, including inadequate antivirus and firewall protection, weak authentication measures, no encryption capability, and outdated and unsupported operating software. ACL did not identify those cybersecurity deficiencies as part of its diligence on Medlab’s assets, and the deficiencies remained until Medlab’s IT assets were integrated into ACL’s own environment. However, as a result of its diligence, ACL knew: 

• Medlab had not conducted an IT penetration test, vulnerability assessment, or IT security audit in the preceding three years;
   
• Medlab did not have sophisticated IT and cybersecurity processes in place, such as data recovery plans; and
   
• to the best of Medlab’s knowledge, Medlab did not have any documents or reports prepared by or for it which identified threats to the security of sensitive information handled by it. 

The cyber attack

In late February 2022, around two months after the acquisition of Medlab by ACL, a cybercriminal group known as ‘Quantum’ launched a cyber attack on the Medlab IT systems, encrypting files and demanding a ransom. Unknown to ACL, the attackers exfiltrated approximately 86 gigabytes of data, including personal and health information of more than 223,000 individuals. 

ACL’s response

ACL’s initial response to the attack relied heavily on a third-party cybersecurity consultant, StickmanCyber. StickmanCyber’s investigation of the attack was limited in scope. 
It deployed monitoring agents on just three of 127 computers affected by the attack, examined backed-up firewall logs that provided only one hour of data, performed periodic searches of the dark web between 22 February and 1 March, and conducted a limited investigation of whether the attacker may have established mechanisms to stay connected to the affected IT assets and network. ACL provided the Medlab employee in charge of responding to the attack with malware outbreak and ransomware playbooks, which the Medlab employee had not previously seen. The employee had no formal cyber security background.

Stickman Cyber’s advice against notification

StickmanCyber advised ACL that no data had been exfiltrated, and notification was likely not required. Relying on that advice, ACL concluded that no eligible data breach had occurred and did not notify the OAIC or affected individuals. On 25 March 2022, the Australian Cyber Security Centre (ACSC) alerted ACL to intelligence suggesting Medlab had been the victim of a ransomware incident and reminded ACL of the notification obligations under the Act. ACL maintained, based on its own monitoring and StickmanCyber’s advice, that no data had been taken. On 16 June 2022, the ACSC sent a second notification to ACL, advising that 80gb of Medlab data had been published on the dark web. That same day, ACL’s Head of Technical Services sent an internal email stating they were satisfied the data had been exfiltrated, and that it was likely that a notification would need to be made to the OAIC.

OAIC notification

On 10 July 2022, almost a month after ACL determined a notification would need to be made, ACL notified the OAIC of the breach, acknowledging the types of information involved and the ongoing nature of its investigation. A public apology and further notifications to affected individuals followed in October 2022. 

Failure to take reasonable steps to protect personal information 

The Court found ACL contravened APP 11.1(b). Under APP 11.1(b), entities must ‘take such steps as are reasonable in the circumstances’ to protect the personal information they hold from unauthorised access, modification, and disclosure. 

Assessment of ‘reasonableness’ and ‘circumstances’

When determining how ‘reasonableness’ should be assessed, the Court drew on judicial analysis of ‘reasonable steps’ in the context of the Corporations Act 2001 (Cth). In particular, the obligation is accepted to:

• be assessed objectively by referencing the standard of behaviour of a reasonable person in the position of the entity;
   
• require a wholistic analysis;
   
• differ depending on the complexity of the entity’s business; and
   
• not be capable of being discharged by delegating it to another entity. 

The Court held that the ‘circumstances’ to be considered should be construed broadly. On that basis, the Court considered: 

• ACL’s size and sophistication: ACL’s size, income, and sophistication meant a higher standard of protection was required. At the time of the attack, ACL employed over 5000 staff, was one of the largest pathology providers in Australia and generated revenue of between $670 - $995 million per annum around the time of the breach.
   
• Volume and sensitivity of the information: At the time of acquisition, Medlab held significant volumes of highly sensitive patient information. It processed approximately 1.5 million pathology patient episodes per annum, and held health information, customer credit card information and payment details. The volume and sensitivity of that information warranted a high standard of care, given the potential for serious harm if it was accessed or disclosed.
   
• Cyber risk environment: ACL operated in a ‘high cyber threat landscape’. Several authoritative sources cited in the SAFA identified that healthcare was one of the highest risk sectors. Those included a report published by the United States Health Information Sharing and Analysis Centre, recent cyber incidents affecting health organisations in the United States, ACSC reports that identified the health care and social assistance sector as experiencing the third highest number of cyber incidents, and OIAC’s own report that the health sector was the highest cyber incident reporting sector around the time of ACL’s breach.

Why ACL failed to take reasonable steps to protect the information 

The Court held ACL failed to take reasonable steps in the circumstances discussed above to protect the personal information from unauthorised access, modification and disclosure because of: 

• Medlab IT Deficiencies: ACL’s diligence when acquiring Medlab’s assets failed to identify the deficiencies in Medlab’s IT assets. ACL’s technical diligence primarily consisted of a simple IT questionnaire, which itself should have indicated that further technical diligence may be required. The Court also found ACL took too long to identify the deficiencies after it acquired the assets, even though ACL had started to integrate the assets into its own, more secure environment at the time of the breach.
   
• Overreliance on service provider: ACL placed too much reliance on StickmanCyber and could not detect and respond by itself to cyber incidents. Further, ACL should have known that StickmanCyber’s investigation was inappropriately limited in scope and detail, and should not have relied on the findings of that report when assessing ACL’s obligations under the Act. The Court provided limited guidance on when relying on a service provider will contribute to a failure to take reasonable steps.
   
• Inadequate cyber playbooks: ACL’s cyber incidents playbooks were deficient. The playbooks did not define roles and responsibilities for incident response efforts, contained limited detail on containment processes that should be deployed in the event of a cyber incident or steps that should be taken to mitigate exfiltration of data, and recommended steps for technologies that were not used within the business. Additionally, the employee tasked with responding to the incident had no formal cybersecurity background or incident response training.
   
• Technical deficiencies: The following technical deficiencies limited ACL’s ability to detect and respond to the incident:
   
  • There was inadequate testing of incident management processes in the period between acquiring Medlab’s IT assets and the attack.
     
  • ACL did not use data loss prevention on the Medlab IT assets to detect or prevent the theft of personal information or data held on those systems.
     
  • ACL did not use adequate tooling/products that could perform behavioural-based analysis of activities to determine whether malicious actions might be undetected by an antivirus product.
     
  • ACL did not have an application whitelist in place to prevent unknown or unauthorised applications from running on the Medlab IT assets.
     
  • There was limited security monitoring capability because firewall logs were retained for only one hour.
     
  • Specific data recovery plans had not been developed.
     
  • Staff were not required to use multifactor identification to use the Medlab VPN. 

Failure to carry out reasonable and expeditious assessment 

The Court found that ACL breached section 26WH of the Act. Under section 26WH, if an entity is aware that there are reasonable grounds to suspect (but not believe) an eligible data breach has occurred, the entity must carry out a reasonable and expeditious assessment of whether the circumstances amount to an ‘eligible data breach’. The assessment must be completed within 30 days after the obligation arises. 

The Court considered that by 2 March 2022 (the date on which StickmanCyber provided its investigation findings to ACL), ACL had knowledge of circumstances that were objectively sufficient to establish that: 

• there may have been unauthorised access to the personal and sensitive information of individual customers and patients held on the Medlab IT systems; and
   
• that access would likely result in serious harm to any of the over 223,000 individuals to whom the information related. 

ACL therefore needed to conduct a reasonable assessment within 30 days of 2 March 2022. The Court found ACL’s assessment was not reasonable because: 

• As discussed above, the assessment undertaken by StickmanCyber (which was relied on by ACL) was inadequate; and
   
• ACL was aware of that limited assessment, and it was therefore unreasonable for ACL to rely solely on the assessment and StickmanCyber’s advice that the threat had been contained, and personal information had not been exfiltrated. 

Failure to notify data breach 

Finally, the Court found ACL breached section 26WK(2) of the Act. Under section 26WK(2), entities must notify the OAIC of certain information ‘as soon as practicable’ after becoming aware of reasonable grounds to believe an eligible data breach has occurred. 

When is ‘as soon as practicable’

The Court noted that while ‘as soon as practicable’ is not defined in the Act, explanatory guidance indicates it involves considering whether the time, effort, or cost to notify would make notification impracticable, when considered in all circumstances of the entity and breach in question. The Court noted that the information that needed to be included in an initial notification to the OAIC is not particularly onerous and is designed to facilitate prompt notification (i.e. a description of the breach, the kinds of information concerned, and recommendations about what steps individuals should take in response to the breach). On that basis, the Court found that a notification to the OAIC could be made within two to three days of becoming aware of the breach. 

Why ACL failed to notify in time

The Court held that ACL had reasonable grounds to believe that an eligible data breach had occurred by (at least) the second notification from the ACSC, where ACL was told information had been published on the dark web. However, ACL waited until almost a month later to notify, after it had engaged external legal advisors to conduct a full assessment of the incident. 

ACL’s penalties

At the time of the breach, civil penalties could be awarded under section 13G of the Act where: 

1. an act or practice of an entity constitutes a ‘serious interference’ with the privacy of an individual (which is still a civil offence under the Act); or
    
2. an entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals. 

The Act deems certain acts or practices to be an interference with the privacy of an individual. Those include acts or practices that breach an APP in relation to personal information about an individual, failures to conduct assessments of potential data breaches within the time required, and failures to notify the OAIC of eligible data breaches. The Court drew on case law to determine that ‘serious’ in the context of section 13G meant conduct that is ‘grave and significant’ or represents a substantial departure from the standard of care and diligence required. 

Applying section 13G to ACL’s breach of APP 11

The Court held that ACL breached APP 11 in respect of each affected individual, and that ACL committed 223,000 separate contraventions of section 13G(a). The Court viewed the breach of APP 11 to be sufficiently serious, considering the sensitivity of the personal information, the extent of the deficiencies in the Medlab IT systems, the deficiencies in ACL’s response to the attack and ACL’s reliance on a third-party cybersecurity services provider.

Interestingly, the Court appears to have focused on the departure from the standard of care required under APP 11, rather than the impact of the data breach on the individual (although the sensitivity of information was factored into the assessment). In theory, this suggests that the information involved in a data breach could be minor in nature (e.g. limited to names and emails), but if the breach of APP 11 is sufficiently extensive (e.g. a complete failure to implement appropriate security), then the interference may still be regarded as ‘serious’.

Applying section 13G to ACL’s failure to conduct an assessment and notify the breach

Under section 13(4A) of the Act, a contravention of section 26WH(2) (obligation to carry out an assessment of a suspected data breach) or section 26WK (failure to notify the OAIC of an eligible data breach) are each taken to be an act or practice that interferes with the privacy of an individual. Our discussion on why ACL was found to have breached those sections is set out above. The Court found that ACL’s contraventions of those sections were a serious interference with the privacy of an individual when considering: 

• the sensitivity and volume of the information involved;
   
• the high cybersecurity risks faced by ACL at the time of the breach; and
   
• the fact that the failure to conduct an assessment and promptly notify delayed the OAIC’s ability to perform its statutory function of monitoring ACL’s notification to affected individuals regarding the breach and reduce the potential harm.

On that basis, the Court found ACL committed two contraventions of section 13G(a) by contravening section 26WH(2) and section 26WK. 

Penalties awarded

At the time of the breach, the maximum civil penalty for a contravention of section 13G(a) was $444,000. Under the Regulatory Powers (Standard Provisions) Act 2014 (Cth), a pecuniary penalty for a body corporate must not exceed five times the penalty specified for the civil penalty provision. Accordingly, the maximum penalties for ACL’s breaches of section 13G(a) were: 

• $495 billion for the breaches of APP 11;
   
• $2.2 million for the failure to conduct a reasonable and expeditious assessment; and
   
• $2.2 million for the failure to notify the OAIC of the eligible data breach. 

Under the SAFA, the parties had proposed an aggregate penalty of $5.8 million. The Court considered the extent and significance of the contraventions, the potential for significant harm to the affected individuals, the impact of the contraventions on the broader public trust in entities holding sensitive information of individuals, and ACL’s size and income and observed that the penalty of $5.8 million would be ‘manifestly inadequate’. However, the Court determined that the penalty fell within the range of permissible penalties when weighed against certain ameliorating factors, including the fact that ACL did not derive a gain from the contraventions, was in the process of addressing the cyber risks in respect of Medlab’s IT assets, cooperated with the OAIC’s investigation, and had not previously contravened the Act. 

It is important to note that, since the time of ACL’s breach, the maximum penalties that may be awarded for a serious interference with the privacy of an individual have been increased to an amount not exceeding the greater of: 

• $50 million; or
   
• three times the value of the benefit the entity obtained from the contravention (if that benefit can be calculated); or
   
• 30% of the adjusted turnover of the entity during the relevant breach period (where the benefit obtained from the contravention cannot be calculated).