Landmark privacy penalty: What the ACL case means for data protection in Australia

The Federal Court’s decision in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 marks a turning point in Australian privacy law, imposing Australia's first civil penalties under the Privacy Act – totalling $5.8 million.

The case follows heightened regulation action by the Office of the Australian Information Commissioner (OAIC) in response to cyber-attacks and exposed failures to adequately secure personal information. It highlights the OAIC's increasing readiness to initiate legal proceedings for serious data breaches, with civil penalty proceedings against Medibank and Optus still on foot.

While the orders in this case were made by consent (based on a statement of agreed facts and submissions and an agreed penalty), the decision still offers some insight into what the "reasonable steps" that organisations are expected to take to secure personal information look like (or perhaps more accurately, what they do not look like). With increased penalties now in force under the Privacy Act, the court's commentary highlights the importance of having robust and tested policies and procedures in place to assess and respond to data breaches when they occur, which are regularly reviewed and take account of evolving risks, and making timely notifications of data breaches where required under the Privacy Act. It also brings to the fore the importance of conducting appropriate due diligence in relation to cyber security issues as part of business acquisitions.

Australian Clinical Labs: the acquisition followed by the data breach

Australian Clinical Labs (ACL), a large hospital pathology services provider, acquired the assets of MedLab Pathology in December 2021. MedLab's assets included IT systems and databases, containing health information, contact information and credit card information in relation to some 223,000 individuals. ACL did not identify relevant vulnerabilities in the MedLab IT systems prior to its acquisition, which remained for a significant period after the acquisition was completed.

ACL was in the process of undertaking integrating MedLab's IT systems into its own when a cyber attack occurred, on or around 25 February 2022. A malicious actor known as the Quantum Group installed malware that encrypted all MedLab's files, and made a ransomware demand. In response, ACL engaged a third party consultant, StickmanCyber, to investigate and advise on the cyber attack. That day, StickmanCyber advised that the ransonware demand was likely a "scare tactic". On 2 March 2022, StickmanCyber provided an Incident Summary Report to ACL, followed by an email to ACL on 15 March 2022, in which StickmanCyber concluded that the cyber attack did not cause harm to any individual as it could not determine whether data had been exfiltrated. On this basis, ACL determined that the cyber attack did not constitute an eligible data breach under the Privacy Act 1988 (Cth) and chose not to notify the Australian Information Commissioner of the incident under the notifiable data breaches scheme.

On 25 March 2022, the Australian Cyber Security Centre (ACSC) notified ACL that it had received intelligence that MedLab may have been victim to a ransomware incident, suggesting further investigation and that ACL consider whether it was obliged to give notice of a data breach. On the same day, ACL's CIO notified the ACSC that ACL believed based on its own monitoring of affected devices and the dark web that no data exfiltration had occurred.

However, data had in fact been exfiltrated. On 16 June 2022, the ACSC notified ACL that based on information received from a third party through monitoring of the dark web, 80GB of data from the MedLab IT Systems had been published on the dark web, including health and financial information. Following this second notification, on 16 June 2022 ACL's Head of Technical Services notified ACL, MedLab and StickmanCyber personnel that he was satisfied that data had been exfiltrated as a result of the earlier attack and was visible on the dark web. Between 22 June 2022 and 10 July 2022, ACL (through Clyde & Co) reviewed the information which had been exfiltrated and published. On 10 July 2022, ACL notified the Commissioner of an "eligible data breach" under the notifiable data breaches scheme. That notice recited the fact that an analysis of the data concerned and individuals affected was ongoing and could take some time to complete, but that once completed MedLab would update the Commissioner and take appropriate steps to notify any affected individuals. The statement noted that the types of information involved included financial details, tax file numbers, and identify, contact and health information.

Key findings on breaches of the Privacy Act

In the statement of agreed facts and submissions, the parties acknowledged, and the Court agreed, the following contraventions of the Privacy Act had occurred.

The security contravention

The statement of agreed facts and submissions noted the following shortcomings in MedLab's security posture:

• cyber incident response playbooks being too general, failing to clearly define roles and responsibilities and lacking detail on mitigation measures

• incident management processes not being adequately tested between ACL's acquisition of MedLab and the breach;

• data loss prevention not being used to detect or prevent theft of personal information held on the MedLab IT systems;

• MedLab not using tools that could perform behavioural analysis of activities on the MedLab IT systems to detect malicious activity;

• MedLab did employ application "whitelisting" to prevent unknown applications from executing, and using an (unnamed) antivirus system that was considered inadequate;

• there being limited plans addressing communications with internal and external stakeholders and regulators;

• the MedLab individual initially tasked with managing the breach not having seen or received training on the playbooks and having no formal cybersecurity background or incident response training;

• the MedLab IT systems having limited security monitoring capability (firewall logs were retained only for 1 hour) and limited incident notification capability;

• a lack of specific disaster recovery plans for the MedLab IT systems; and

• multi-factor authentication not being used to permit staff to gain access to the MedLab network.

The Court agreed in this context that ACL had failed to take reasonable steps to protect personal information from unauthorised access as required by the Privacy Act. Drawing upon judicial consideration of what amounts to "reasonable steps" in relation to various offences under the Corporations Act, the Court commented that such an obligation will vary depending on the complexity of the entity's business and the procedures within the entity, and needs to be assessed holistically. While it does not require a person to identify and take the optimal approach out of all possible measures that could be taken, it does require actions which were in their totality reasonable, assessed objectively by reference to what a reasonable person in the relevant person’s position would have expected.

The size and nature of ACL's operations, the volume and sensitivity of the personal information involved, the high risk of cyber incidents of which ACL was aware, and the failure to identify and delay in remedying the vulnerabilities within the MedLab IT systems were all factors relied upon in reaching this conclusion. Of particular note was the Court's comment that ACL's obligation was not "capable of being discharged simply by delegating it to another entity and doing nothing more", noting ACL's overreliance on third party providers and its own lack of adequate procedures to detect and respond to cyber incidents.

Having found that a breach had occurred, the Court turned to the question of whether the breach involved a "serious" interference with privacy. Again, the Court relied on authorities in the context of the Corporations Act in commenting that a “serious contravention” is one that is “grave or significant” or “weighty, important, grave and considerable” and "ultimately a question of fact to be determined by reference to the degree of the departure from the requisite standard of care and diligence and the nature of the conduct"^[1]. The Court concluded that ACL's breaches of APP 11 were "serious", having regard to:

• the nature and volume of the personal information concerned (including sensitive health information);

• the extent of the deficiencies in the MedLab systems and its responses to those deficiencies; and

• ACL’s level of reliance on third party providers,

all of which were said to have significantly heightened the risk of unauthorised access to the information concerned.

The assessment and response contravention

The Court also agreed that ACL failed to conduct a reasonable and expeditious assessment of whether the MedLab cyberattack constituted an "eligible data breach" as required by section 26WH(2) of the Privacy Act. The Court found the initial assessment commissioned by ACL was not "reasonable and expeditious" on the basis that:

• the scope of the assessment was limited (ie. only three of the 127 computers subject to the ransomware attack were monitored);

• there was inadequate analysis of the threat actor's traits (no thorough investigation was made of the Quantum Group's behaviour);

• there was insufficient use of available data and logs (ie. the review was based on a single firewall log, and the MedLab IT systems' firewalls retained logs for only one hour, which severely limited the ability to reconstruct the attack and assess the extent of data exfiltration); and

• the early termination of the investigation (which occurred only four days after the attack, with no further monitoring for evidence of data publication on the dark web).

The Court noted that ACL was "aware of the limited assessment undertaken by StickmanCyber and it was therefore unreasonable for ACL to rely solely on that assessment and StickmanCyber’s advice to conclude by 2 March 2022 that the threat ... had been contained".

The notification contravention

The Court also agreed that (having become aware of the data breach on 16 June 2022 but only notifying the Commissioner of the breach on 10 July 2022) ACL had failed to notify the Commissioner of the eligible data breach as soon as "practicable" as required by section 26WK(2) of the Privacy Act. On that, the Court did not consider the requirements for an eligible data breach notification to be particularly onerous in the circumstances, as it needed only to include a description of the data breach, the type or types of information involved, and recommendations for steps individuals should take in response to the breach.

The maximum and final penalties

This case marks the first civil penalty proceeding brought by the Commissioner. Based on the penalties in force at the time of the relevant breaches, His Honour cited a total maximum penalty for those breaches of $495,060,000,000.

However, His Honour held that the agreed penalty of $5.8 million fell within the range of permissible penalties to achieve specific and general deterrence, and appropriately took into account the fact that the breaches all stemmed from a single incident, and mitigating factors such as ACL's cooperation with the Commissioner's investigation, its active steps to improve its cybersecurity following the investigation and the absence of any deliberate misconduct.

An interesting feature of the penalty is that a combined total of $1.6m was allocated to the failures to conduct an assessment of, and notify, the relevant data breaches within the timelines required by the Privacy Act. Although this is less than the $4.2m allocated to the failure to take reasonable steps to avoid the breach in the first place, it perhaps demonstrates a determination on the part of the OAIC to ensure organisations respond to data breaches in the manner required by the Privacy Act. For some time, the OAIC has warned (in its regular notifiable data breaches publications) that organisations have been taking too long to investigate and notify data breaches – and this penalty arguably indicates the seriousness with which the OAIC will regard such delays in future.

Notably, in December 2022 (after the offending conduct in the ACL decision), new penalties have come into force under the Privacy Act. For body corporates, the maximum penalty for a serious interference with privacy is now the greater of:

• $50 million;

• 3 times the value of any benefit obtained from the contravention; or

• 30% of the company's adjusted turnover during the breach period (if the benefit cannot be determined).