Landmark data breach penalty a warning to Australian businesses, with more penalties expected

Australian Clinical Labs Limited (ACL), one of Australia’s largest private hospital pathology businesses, must pay a penalty of A$5.8 million (approx.US$3.8 million), plus a contribution of A$400,000 to legal costs, following the court’s approval of the total amount agreed between ACL and the Office of the Australian Information Commissioner (OAIC).

The penalty is for breaches of ACL’s data protection and data breach notification obligations under the federal Privacy Act 1988 between December 2021 and July 2022, after its Medlab Pathology business experienced a cyber-attack in February 2022, soon after its assets were acquired by ACL. The penalty was based on an agreed set of facts and admissions.

Medlab provides pathology services including sexually transmitted disease testing, fertility assessments and genetic testing and the impacted information ultimately appeared on the dark web. The breach impacted the personal information, including sensitive health and financial information, of more than 223,000 patients

Veronica Scott, an expert in data and privacy law at Pinsent Masons, said: “This is the first time that the data protection and breach response obligations in the Privacy Act have been subject to judicial consideration.”

“This landmark decision and the factors the court considered should be taken very seriously, particularly because the OAIC has two more current proceedings for data breaches from 2022 and has indicated more actions are waiting. The court’s decision makes the obligations and responsibilities for business clear,” she said.

“As the first civil penalty ordered for serious breaches of the Privacy Act, we also expect this will set the direction for future actions under the updated civil penalty regime and reinforce the standard for protecting personal information and responding to data breaches.”

The penalty comprised A$4.2 million for failing to take reasonable steps to protect the personal information of patients from a data breach, with a further A$800,000 for failing to conduct a reasonable and expeditious assessment of whether the data breach was notifiable, and another A$800,000 for failing to notify the data breach to the OAIC as soon as reasonably practicable after it assessed the breach was notifiable.

Susan Kantor, an expert data and privacy law at Pinsent Masons, said: “The case makes it clear that businesses should be ready to proactively respond to cyber incidents that result in suspected data breaches and carefully and quickly assess the impact and complete notifications promptly.”

“Ensuring you have a clear plan and procedure to follow, with the right team of experts in place to support you both internally and externally and who can take immediate action as soon as an incident is identified, is critical to protecting both the individuals and organisation as well as avoiding delays,” she said.

“This will help ensure an appropriate investigation happens,” she said.

When the cyber-attack occurred, ACL had been planning to migrate Medlab’s IT into its own systems after the acquisition. The initial forensic investigation, performed by a third-party provider, failed to identify that data had been taken from Medlab’s systems.

Scott said: “The sequence of events also highlights the importance of planning for cyber and data privacy risks before, during and after transactions, particularly those which involve the acquisition of significant data sets. Effective due diligence will help businesses identify and plan to manage those risks.”

The Medlab cyber incident occurred before the current higher civil penalty regime for serious privacy breaches came into effect. At the time of the incident, the maximum penalty million for serious or repeated breaches of Privacy Act obligations by a company was A$2.2 million.

In court, the parties agreed that ACL had engaged in a separate course of conduct that interfered with the privacy of each of the affected 223,000 individuals. The statutory power to impose regulatory penalties of this kind is limited to no more than five times of the pecuniary civil penalty for a breach. The court confirmed the aggregate maximum penalty that could therefore be imposed for each of the data protection contraventions was more than A$495 billion, however, the court was satisfied that the contraventions of the act were from a single course of conduct, which was the breach of its data protection obligations.

There were a range of factors the court considered in approving the total penalty, including ACL’s size and revenue, the involvement of senior management in decision making about its response to the incident and its failure to ‘act with sufficient care and diligence’ in managing the risk of a cyberattack on the Medlab IT systems. The court found that given the nature of the impacted information, it could be combined with the growing body of already leaked personal information, meaning the data breach would cause significant harm to the affected individuals. 

The court also considered factors such as ACL’s admissions and public apology, its cooperation with the OAIC, improved compliance culture following the incident and that it had no history of non-compliance.

Gagan Singh of Pinsent Masons said: “Whether final penalties should be assessed based on a single course of conduct only or be multiplied by the number of affected individuals, remains under debate. The effect of these multipliers could be huge, as the court’s calculations indicated.”

The civil penalty regime in the Privacy Act was updated in December 2022, resulting in the size of penalties for more recent and for future breaches, being potentially even higher. The maximum penalty now for a serious breach is the greater of A$50m, three times the value of the benefit from the conduct that constituted the breach or, if that value cannot be determined, 30% of the organisation’s adjusted turnover during the breach turnover period.

While compliance with data protection obligations have been the subject of recent regulatory action, the data retention and destruction obligations are also expected to come into focus in future actions, according to recent comments made by the OAIC’s investigation lead at CyberCon 2025.

Scott said: “In a continuing heightened cyber threat environment and an uncertain evolving regulatory landscape, regulators are actively enforcing companies and directors’ privacy, cyber security and cyber risk management obligations.” 

“This means businesses should be taking appropriate action to understand their risks and manage their data responsibly across its lifecycle and adopt a proactive and comprehensive approach to protecting privacy, to cyber risk management and to incident response,” she said.

“What an appropriate program looks like will depend on the circumstances of each business. But as the court found, these obligations cannot be outsourced.”