The Brief:
Australian Clinical Labs hit with $5.8m penalty in first-ever Privacy Act civil case.
Court sets a new standard for cyber diligence and breach response, warning firms they can’t hide behind consultants or acquisitions.
Australian Clinical Labs (ACL) has copped a $5.8m fine and $400k in costs after the Federal Court approved its settlement with the Office of the Australian Information Commissioner (OAIC).
It’s the first civil penalty ever under the Privacy Act.
The case stems from a 2022 ransomware attack on Medlab, which ACL had just acquired. The hack saw 86GB of patient data for 223k people dumped on the dark web.
The Court found ACL breached Australian Privacy Principle 11.1 and ss 26WH(2) and s26WK(2) of the Privacy Act — failing to protect personal data, assess the breach quickly, and notify regulators in time.
APP 11.1 sets a high bar for data protection. That includes strong authentication measures, clear incident response, defined roles, proper staff training, and avoiding blind faith in third-party vendors. ACL’s systems? Weak security, vague incident response playbooks, and no multi-factor authentication.
The Court made it clear: companies must actively oversee and interrogate cyber investigations. ACL leaned too hard on a consultant whose limited review missed red flags. Firms can’t outsource responsibility. Justice Halley said that ACL knew that the consultant’s review was limited, and so it was unreasonable to rely on its advice.
ACL also sat on its hands for nearly a month after the Australian Cyber Security Centre warned of the leak. The Court said it should’ve reported within two to three days, backing the government’s proposed 72-hour breach rule.
The message for dealmakers? Inherit the system, inherit the risk. ACL failed to spot Medlab’s vulnerabilities pre-acquisition and dragged its feet on integration and training. Cyber due diligence and early onboarding are non-negotiable.
The Court found that each affected individual counted as a separate contravention, meaning the theoretical fine hit $495bn (or $11tn under the current regime). Ordinarily, $5.8m would have been “manifestly inadequate”, but the reduced penalty outcome reflected ACL’s apology, cooperation, and remediation.
The warning’s clear - cyber risk is now a board-level issue, not an IT one.