--- Begin Message ---
[ After aiming very strong criticism at successive, weak PCers 2004-23,
I may very well have to change my tune! ]
> Australian Clinical Labs [ACL] has been fined $5.8 million over a
2022 data breach that exposed the personal information of more than
223,000 people and saw the Office of the Australian Information
Commissioner exercise its enforcement powers for the first time.
> Australian Information Commissioner Elizabeth Tydd said the ruling
provides “an important reminder to all APP entities that they must
remain vigilant in securing and responsibly managing the personal
information they hold”.
> Privacy Commissioner Carly Kind said the decision marked “an
important turning point in the enforcement of privacy law in Australia”.
> “For the first time, a regulated entity has been subject to civil
penalties under the Privacy Act, in line with the expectations of the
public and the powers given to the OAIC by parliament,” she said.
[ For clarity, the breach by then MedLab Pathology occurred through
2021-22, the investigation took place from mid-late 2022, and the
proceedings were commenced in November 2023, all under the previous
PC'er Angelene Falk. (ACL acquired MedLab during the period 2021-23).
[ The changeover from a lone ICer-&-PCer back to separate appointments
occurred from February 2024 when Carly Kind was appointed to the
long-vacant PCer role and Elizabeth Tydd as FoI Commner, with Tydd
promoted to ICer in August 2024 when Falk retired from the role.
https://www.itnews.com.au/news/medlab-pathology-faces-questions-over-data-breach-timeline-588757
https://www.oaic.gov.au/news/media-centre/oaic-commences-federal-court-proceedings-against-australian-clinical-labs-limited
Clinical Labs fined $5.8m in Privacy Act first
Trish Everingham
Innovation Aus
9 October 2025
https://www.innovationaus.com/clinical-labs-fined-5-8m-in-privacy-act-first/
Australian Clinical Labs has been fined $5.8 million over a 2022 data
breach that exposed the personal information of more than 223,000 people
and saw the Office of the Australian Information Commissioner exercise
its enforcement powers for the first time.
The Federal Court found that the company’s Medlab Pathology business
failed to take reasonable steps to secure the data, assess the breach
promptly, or report it to regulators. It is the first time civil
penalties have been imposed under the Privacy Act.
Justice Halley described the contraventions as “extensive and
significant” and said the company’s senior management had been directly
involved in decisions about its IT systems and its response to the attack.
He found that the company failed “to act with sufficient care and
diligence in managing the risk of a cyberattack on the Medlab IT systems”.
The court ordered three penalties: $4.2 million for inadequate
protection of personal information, $800,000 for failing to assess the
breach quickly, and another $800,000 for not notifying the OAIC in a
timely way.
Justice Halley said the company’s conduct “had at least the potential to
cause significant harm to individuals whose information had been
exfiltrated, including financial harm, distress or psychological harms,
and material inconvenience”.
He added that the failings also had “the potential to have a broader
impact on public trust in entities holding private and sensitive
information of individuals”.
ACL admitted the contraventions, apologised and cooperated with the OAIC
investigation. The court noted that the company had since started a
program to strengthen its cybersecurity systems and improve its
compliance culture.
Australian Information Commissioner Elizabeth Tydd said the ruling
provides “an important reminder to all APP entities that they must
remain vigilant in securing and responsibly managing the personal
information they hold”.
She said the decision was “a notable deterrent and signal to
organisations to ensure they undertake reasonable and expeditious
investigations of potential data breaches and report them appropriately”.
Privacy Commissioner Carly Kind said the decision marked “an important
turning point in the enforcement of privacy law in Australia”.
“For the first time, a regulated entity has been subject to civil
penalties under the Privacy Act, in line with the expectations of the
public and the powers given to the OAIC by parliament,” she said.
“This should serve as a vivid reminder to entities, particularly
providers operating within Australia’s healthcare system, that there
will be consequences of serious failures to protect the privacy of those
individuals whose healthcare and information they hold.”
The penalties were imposed under the previous penalty regime, which
capped fines at $2.22 million per breach. Higher penalties now apply
under laws introduced in December 2022, allowing for fines of up to $50
million, three times the benefit gained, or up to 30 per cent of annual
turnover.
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
--- End Message ---
_______________________________________________
apf-media-archive mailing list
[email protected]
https://lists.privacy.org.au/mailman/listinfo/apf-media-archive
