Landmark Privacy Decision: Australian Clinical Labs Ordered to Pay $5.8 Million in Penalties
The Federal Court has handed down a landmark ruling under the Privacy Act 1988 (Cth), marking the first civil penalty imposed for breaches of the Act’s privacy and data protection obligations.
Australian Clinical Labs Limited (ACL) has been ordered to pay $5.8 million in penalties after the Court found that it failed to take reasonable steps to protect sensitive personal information and delayed its mandatory data breach notification.
Key Insights :
This decision provides crucial judicial guidance on:
– The Court’s interpretation of compliance with Australian Privacy Principle (APP) 11 – Security of Personal Information.
-Obligations under the Notifiable Data Breach (NDB) Scheme.
– The application of civil penalty provisions under the Privacy Act.
It also reinforces the importance of robust cybersecurity and privacy due diligence during mergers and acquisitions and confirms that organisations cannot escape liability by outsourcing critical cybersecurity functions to third parties.
The outcome comes amid ongoing civil penalty actions initiated by the Office of the Australian Information Commissioner (OAIC) against Medibank and Optus, both involving breaches affecting over 9.5 million Australians.
Overview of the Case
On 8 October 2025, Justice Halley delivered judgment in Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224.
The proceeding—largely uncontested—focused on the appropriate level of penalties to be imposed, with both the Australian Information Commissioner (AIC) and ACL agreeing on the core facts presented in a Statement of Agreed Facts and Admissions (SAFA).
ACL, one of Australia’s largest pathology providers with revenues exceeding $600 million, had acquired Medlab Pathology Pty Ltd in December 2021. Medlab’s systems held extensive personal and sensitive health data, including genetic testing results, fertility information, and financial details.
Prior to the acquisition, ACL had conducted only limited cybersecurity due diligence through a basic questionnaire. The company was aware that Medlab had not performed penetration testing, vulnerability assessments, or security audits for over six years. These deficiencies, which included weak authentication, lack of encryption, and outdated antivirus protection, became fully apparent only after ACL took control of Medlab’s IT environment.
The Cyberattack and Inadequate Investigation
In February 2022, a ransomware group known as the Quantum Group infiltrated Medlab’s IT systems and demanded ransom payment.
ACL engaged its long-term cybersecurity vendor, StickmanCyber, to manage the incident response. The provider advised that the ransom threat was likely a “scare tactic” and suggested issuing a public statement claiming no data had been stolen.
StickmanCyber’s subsequent investigation was limited and flawed, monitoring only 3 of 127 infected systems and failing to examine firewall logs or investigate data exfiltration. Based on this incomplete analysis, ACL concluded the attack was not a notifiable breach under section 26WE of the Act.
In June 2022, the Australian Cyber Security Centre (ACSC) informed ACL that 86GB of Medlab data had in fact been published on the dark web—exposing the personal information of over 223,000 individuals, including medical and financial data.
ACL formally notified the OAIC of the breach four months later, in July 2022.
Court Findings
Justice Halley found that ACL had contravened multiple sections of the Privacy Act:
– Section 13G(a) – Failing to take reasonable steps to secure personal information.
-Section 26WH(2) – Failing to promptly assess within 30 days whether the incident was an eligible data breach.
– Section 26WK(2) – Failing to notify the AIC as soon as practicable after determining the breach was eligible.
The total penalty of $5.8 million comprised:
– $4.2 million – Security of Personal Information breach.
– $800,000 – Failure to conduct timely assessment.
– $800,000 – Failure to notify the OAIC.
ACL was also ordered to contribute $400,000 towards the Commissioner’s legal costs.
Court’s Analysis: What Constitutes “Reasonable Steps”
Under APP 11.1, organisations must take “reasonable steps” to safeguard personal data from misuse, loss, or unauthorised access.
Justice Halley clarified that this standard is objective and context-driven, requiring consideration of:
– The sensitivity of the data held.
– The potential harm to individuals if compromised.
– The size, complexity, and risk profile of the organisation.
– The cyber threat environment in which it operates.
ACL’s failure to meet this standard stemmed from:
– The scale and sensitivity of information in its possession.
– Known cybersecurity deficiencies in Medlab’s systems.
– Delays in identifying and remediating those weaknesses.
– Excessive reliance on external vendors without sufficient internal capability or oversight.
The Court also highlighted internal failings, including outdated incident response playbooks, lack of incident testing, no MFA enforcement, limited log retention, and inadequate Data Loss Prevention (DLP) mechanisms.
These shortcomings, the Court noted, now serve as baseline indicators for what may fall short of the “reasonable steps” standard under APP 11.
Civil Penalty Regime and Court’s Approach
At the time of the contraventions, the maximum penalty was 2,000 penalty units ($222 each), multiplied fivefold for corporations—capping penalties at $2.22 million per contravention.
Given that each individual’s data represented a separate contravention, the theoretical maximum exceeded $495 billion.
In determining the final penalty, the Court considered:
– The gravity and scope of ACL’s contraventions.
– The extent of harm and distress caused to affected individuals.
– The need for specific and general deterrence to reinforce compliance expectations.
– Mitigating factors, including cooperation, remedial measures, and the absence of intentional misconduct.
The agreed penalty of $5.8 million was deemed proportionate and within an appropriate range to achieve deterrence.
Lessons for Organisations
Strengthen Cybersecurity and Data Governance
Entities must regularly evaluate and enhance their security controls, data management frameworks, and breach response mechanisms. Courts and regulators will now measure compliance against an evolving benchmark of “reasonable steps” in line with modern cyber risk environments.
Avoid Overreliance on Third Parties
While outsourcing may assist in technical response, accountability remains with the entity. Organisations must have internal capability to validate vendor performance, monitor investigations, and ensure prompt notification of data breaches.
Conduct Robust M&A Cyber Due Diligence
This case underscores that acquiring outdated IT systems without immediate remediation can expose acquirers to significant regulatory and reputational risk. Cybersecurity assessments must be integrated into pre-completion and post-acquisition processes, supported by appropriate training, integration, and controls.
Conclusion
The ACL judgment serves as a milestone in Australian privacy law, reinforcing the increasing scrutiny and enforcement focus of the OAIC and the Federal Court.
As privacy breaches and enforcement actions escalate in frequency and impact, organisations should:
– Conduct comprehensive privacy and cybersecurity audits,
– Strengthen incident response governance.
– Ensure board-level oversight of cyber resilience strategies.
Our team of privacy, regulatory, and dispute resolution specialists is equipped to help organisations assess compliance gaps, respond to investigations, and build resilience against emerging data and privacy risks.
