$5.8M ordered for breach of the Privacy Act 1988

A landmark decision in Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224

On 8 October 2025, the Federal Court of Australia handed down a landmark decision ordering Australian Clinical Labs to pay $5.8 Million in civil penalties in Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224 for a number of breaches of the Privacy Act 1988 (Cth) (Privacy Act) in relation to a data breach occurring following a transfer of assets (including IT assets) to an incoming purchaser.

This case marks the first example of a court awarding a civil penalty for a breach of the Privacy Act.

Key takeaways

This case highlights the seriousness of breaches of the Privacy Act and indicates that the OAIC is becoming increasingly active in pursuing enforcement of the Privacy Act. This case serves as a reminder to review and update cyber security systems and procedures, especially where your business handles personal or sensitive information. This decision sets a marker that businesses cannot outsource their responsibility or reduce their liability under the Privacy Act by relying on the advice of third party consultants and taking no further action.

Furthermore, this decision exemplifies the importance of reviewing the data security arrangements of an acquisition target during the due diligence phase of a business purchase transaction.

Background

Australian Clinical Labs Ltd (ACL) is one of Australia’s largest private providers of hospital pathology services. In December 2021, ACL acquired the assets of another pathology entity, Medlab Pathology Pty Ltd (Medlab).

In this transaction, ACL acquired the IT systems and databases of Medlab. The data included in these systems contained personal and sensitive information, such as patient health information, contact information, and credit card information of approximately 223,000 individuals.

On 25 February 2022, ACL was subject to a cyber-attack, where malware encrypted the files on Medlab’s systems. In response, ACL engaged a cyber security consultant who advised the attack was likely just a scare tactic to pressure ACL into paying a ransomware demand. Based on this information, ACL chose not to report the incident to the Office of the Australian Information Commissioner (OAIC) as a Notifiable Data Breach.

On 16 June 2022, the Australian Cyber Security Centre (ACSC) notified ACL that over 80 gigabytes of data from the Medlab IT Systems had been published on the dark web, including health and financial information. ACL did not notify the OAIC of the breach until approximately one month later on 10 July 2022.

Judgment

The Federal Court noted the following breaches of the Privacy Act:

Failure to take reasonable steps in the circumstances to protect personal information
(APP 11.1)

Key shortcomings in Medlab’s systems that were attributed to the data breach include: outdated software systems, no use of multi-factor authentication, a lack of encryption and inadequate monitoring capabilities. From an organisational perspective, ACL had inadequate systems and processes to respond to threats, and no comprehensive system for risk assessment.

The Court held that ACL’s failure to take reasonable steps to remedy these issues was a breach of APP 11.1. This was having regard to the nature, volume and sensitivity of the information involved, the size and nature of ACL’s operations, the substantial risk of cyber incidents of which ACL was aware, and ACL’s failure to identify and remedy the vulnerabilities of MedLab’s IT systems.

The Court awarded a $4.2 million penalty for this breach.

Failure to carry out a reasonable and expeditious assessment of the data breach
(section 26WH(2))

Despite obtaining an assessment from the cyber security consultant, the Court held that ACL’s knowledge and awareness of the breach was sufficient to require them to undertake a reasonable and expeditious assessment of the data breach. The Court held that the assessment undertaken by the consultant was inadequate, that it was unreasonable for ACL to rely on such a limited assessment, and ultimately this delayed ACL notifying the OAIC until 10 July 2022.

The Court awarded an $800,000.00 penalty for this breach.

Failure to notify the OAIC of the data breach as soon as practicable
(section 26WK)

The Court held that the delay of approximately one month from ACSC notifying ACL of the data breach on 16 June 2022, to them reporting the breach on 10 July 2022, was not done as soon as practicable. In the statement of agreed facts and submissions, ACL admitted that they could have compiled an appropriate report within 2-3 days.

The Court awarded an $800,000.00 penalty for this breach.

The Court noted that each of these breaches was a serious interference with privacy under section 13G of the Privacy Act. This is because of the sensitivity of the health data, the scale of the exposure, and the systematic deficiencies that caused the breach.

Next steps

This case is a timely reminder to review and update privacy policies and data security procedures, especially in relation to business sale transactions. Page Seager Lawyers can assist with all aspects of privacy law compliance and advice.