Landmark data breach penalty a warning to Australian businesses, with more penalties expected

Australian Clinical Labs Limited (ACL), one of Australia’s largest private hospital pathology businesses, must pay a penalty of A$5.8 million (approx. US$3.8 million), plus a contribution of A$400,000 to legal costs, following the Federal Court’s approval of the total amount agreed between ACL and the Office of the Australian Information Commissioner (OAIC).

The penalty is for serious breaches of ACL’s data protection and data breach notification obligations under the federal Privacy Act 1988 between December 2021 and July 2022, after its Medlab Pathology business experienced a cyber-attack in February 2022, soon after its assets were acquired by ACL. The penalty was based on an agreed set of facts and admissions.

Medlab provides pathology services including sexually transmitted disease testing, fertility assessments and genetic testing and the impacted information ultimately appeared on the dark web. The breach impacted the personal information, including sensitive health and financial information, of more than 223,000 patients which was ultimately published on the dark web.

Veronica Scott, an expert in data and privacy law at Pinsent Masons, said: “This is the first time that the data protection and breach response obligations in the Privacy Act have been subject to judicial consideration."

“This landmark decision, and the factors the court considered, should provide a strong incentive for Australian businesses to review and improve their data protection practices - particularly because the OAIC has two more current proceedings concerning data breaches from 2022, and has indicated that more actions are waiting. The court’s decision makes the obligations and responsibilities for businesses clear,” she said.

“As the first civil penalty ordered for serious breaches of the Privacy Act, we also expect this decision will set the direction for future actions under the updated civil penalty regime and reinforce the standard for protecting personal information and responding to data breaches.”

The penalty comprised A$4.2 million for failing to take reasonable steps to protect the personal information of patients from a data breach, with a further A$800,000 for failing to conduct a reasonable and expeditious assessment of whether the data breach was notifiable, and another A$800,000 for failing to notify the OAIC as soon as reasonably practicable upon belatedly assessing the breach as notifiable.

Susan Kantor, an expert data and privacy lawyer at Pinsent Masons, said: “The case makes it clear that businesses should be prepared to proactively respond to cyber incidents that result in suspected data breaches and carefully and quickly assess the impact and complete notifications promptly.”

“Ensuring you have a clear plan and procedure to follow, with the right team of experts in place to support you both internally and externally and who can take immediate action as soon as an incident is identified, is critical to protecting both the individuals and organisation as well as avoiding delays,” she said.

“This will help ensure an appropriate investigation happens."

When the cyber-attack occurred, ACL had been planning to migrate Medlab’s systems into its own core IT environment post-acquisition. An initial forensic investigation, performed by a third-party provider, failed to identify the exfiltration of data from Medlab’s exposed systems.

Scott said: “The sequence of events also underscores the need to plan for cyber and data privacy risks at every stage of a transaction, particularly those which involve the acquisition of significant data sets. Effective M&A due diligence will help businesses identify and manage those risks.”

The Medlab cyber incident happened before the current higher civil penalty regime for serious privacy breaches came into effect. At the time of the incident, the maximum penalty for serious or repeated breaches of Privacy Act obligations by a company was A$2.2 million.

In court, the parties agreed that ACL had engaged in a separate course of conduct that interfered with the privacy of each of the affected 223,000 individuals. The statutory power to impose regulatory penalties of this kind is limited to no more than five times the pecuniary civil penalty for a breach. Therefore, the court confirmed that the maximum aggregate penalty that could be imposed for each of the data protection contraventions could exceed A$495 billion. However, the court was satisfied that the contraventions of the Privacy Act were from a single course of conduct, which was the breach of ACL’s data protection obligations.

There were a range of factors the court considered in approving the total penalty, including ACL’s size and revenue, the involvement of senior management in decision making about its response to the incident and its failure to ‘act with sufficient care and diligence’ in managing the risk of a cyberattack on the Medlab IT systems. The court found that, given the nature of the impacted information, it could be combined with the growing body of already leaked personal information, meaning the data breach would cause significant harm to the affected individuals. 

The court also considered a number of mitigating factors, such as ACL’s admission of liability and its public apology, its cooperation with the OAIC, its improved compliance culture and cybersecurity following the incident, and that it had no previous history of contravening the Privacy Act.

Gagan Singh of Pinsent Masons said: “Whether final penalties should be assessed based solely on a single course of conduct, or be multiplied by the number of affected individuals, remains under debate. The effect of these multipliers could be astronomical, as the Federal Court’s calculations indicated.”

The previous Privacy Act civil penalty regime was revised in December 2022, resulting in the penalties for more recent and future breaches potentially increasing further. Under the current penalty regime, the maximum penalty for a serious breach is the greater of A$50 million, three times the value of the benefit from the conduct that constituted the breach or, if that value cannot be determined, 30% of the organisation’s adjusted turnover during the breach turnover period.

While compliance with data protection obligations have been the subject of recent regulatory action, organisations’ data retention and destruction obligations are also expected to come into focus in future actions, according to recent comments made by the OAIC’s investigation lead at CyberCon 2025.

Scott said: “In a continually heightened cyber threat environment and an uncertain, evolving regulatory landscape, regulators are actively enforcing companies and directors’ privacy, cyber security and cyber risk management obligations.

“As a result, businesses should be taking appropriate action to understand their risks and manage their data responsibly across its lifecycle, adopting a proactive and comprehensive approach to protecting privacy, cyber risk management and to incident response,” she said.

“What an appropriate program looks like will depend on the circumstances of each business but, as the court found, these obligations cannot be outsourced.”