Cyber readiness lessons from Australian Clinical Labs and Australia's first privacy penalty

What you need to know

• Australia has seen its first civil penalty imposed under the Privacy Act, with Australian Clinical Labs (ACL) ordered to pay $5.8 million following a major data breach.
• This flags an important milestone for the Office of the Australian Information Commissioner's (OAIC's) new phase of active enforcement, with increased regulatory scrutiny and consequences for privacy failures starting to hit home.
• However, penalties in the future could be even more significant, with the current maximum set at $50 million, three times the benefit or 30% of specified turnover for serious interferences.

Understand what your cyber security program can learn from ACL’s experience. Take on board these key lessons.

• Security requires a holistic approach: Understanding the “reasonable steps” required to protect information means understanding your organisation, the data you hold, your capabilities, your vulnerabilities, and the broader threat environment. It involves an assessment of the technical and operational measures to secure data and systems, and the governance arrangements to report and remediate risks.

• Don’t over-rely on third party providers: External views and assurance are an essential antidote to groupthink and self-assessment bias, but they don't replace the obligation for all organisations (from the board down) to understand and be responsible for their internal cyber security environment. Make sure you have the right expertise and capability for the job – and advice you can rely on.

• Ongoing commitment to cyber uplift can help reduce penalties: Take both proactive and reactive measures: ongoing cyber security uplift, robust incident response planning, and timely post-incident actions to help mitigate penalties and regulatory risk.

• Incident investigation and response needs a cross-disciplinary team: Privacy laws require very specific investigations – and an integrated team with legal, risk, and technical expertise can take into account legal and regulatory risks and obligations, help protect customers, and accelerate recovery.

• M&A is a time for assessing cyber security risk: Give cyber security risk assessments appropriate attention during M&A activity, with thorough pre-acquisition due diligence and accelerated post-acquisition remediation to address known issues and vulnerabilities, and simulations to bring teams and decision makers together to uplift response capabilities. 

First civil penalty under Privacy Act

In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, the Australian Information Commissioner brought proceedings against Australian Clinical Labs (ACL) in relation to a February 2022 data breach that impacted around 223,000 patients of its pathology provider subsidiary Medlab.  

The parties submitted to the court, and the court approved, a $5.8 million aggregate penalty, which included:

• $4.2 million for failure to take reasonable steps to secure personal information, (arising from 223,000 separate contraventions of Australian Privacy Principle 11);

• $800,000 for failure to investigate a suspected incident (under section 26WH of the Privacy Act); and

• $800,000 for failure to report an eligible data breach as soon as practicable (under section 26WK of the Privacy Act).

ACL will also contribute $400,000 to the OAIC's legal costs. 

The court noted the much greater theoretical maximum penalties (of around $495 billion for the APP 11 breach and $2.22 million each for the 26WH and 26WK breaches) but nonetheless found that the aggregate penalty was appropriate in all the circumstances, and within the range of permissible penalties. 

Given this is the first civil penalty proceeding to reach a resolution in the history of the Privacy Act, this will no doubt help shape the approach for future penalty proceedings. However, this is only the beginning of the OAIC's "enforcement era". With changes to the penalty regime in late 2022 and 2024 (Australia’s first tranche of privacy reforms) the OAIC now has a broader enforcement toolbox with much greater penalties: up to $50 million, three times the benefit or 30% of specified turnover. 

Today’s threat environment 

The cyber threat environment continues to evolve in scale, sophistication, and technical capability. For the past several years, at least, the regulator and community expectation has been for organisations to “assume compromise” and plan accordingly. 

“Reasonable steps” in the privacy and cyber context start with acknowledging the direct relevance of the threat environment to your organisation. The health care sector (and the sensitive data it holds) is a particular focus of threat actors (alongside other critical infrastructure sectors). The number of ransomware incidents against the sector doubled in FY2024-25, and threat actors were successful in 95% of health care and social assistance sector incidents the Australian Signals Directorate (ASD) responded to – compared to a cross-industry success rate of 52%. 

The immediate future for the threat environment is characterised by the evolving use of AI to lower the entry bar for attackers and build more scalable, accessible, ransomware-as-a-service operating model, at the same time as a growing sophistication of targeting, and speed of attack. In the medium term, the ASD warns emerging technologies will bring further challenges and businesses need to begin planning now. Boards and leadership teams are squarely on notice, now more than ever. The persistent nature of the threat environment will bring an increasing level of regulatory scrutiny.

Background to the incident

The Medlab cyber incident: timeline

ACL is an ASX-listed private hospital pathology business that collects and holds patients’ health information. 

• On 19 December 2021, ACL acquired Medlab, a pathology business operating in New South Wales and Queensland.

• Around February 2022, Medlab suffered a cyber attack. A threat actor had installed ransomware in Medlab's IT environment, compromising various servers storing patient data and reports. 

• After discovery of a ransom note, ACL instructed a third party cyber security provider to investigate the incident. The provider undertook an assessment and concluded that no data had been taken and no harm was caused to any individual, although recommending that ACL “err on the side of caution” and "prepare a statement stating that there was a malware incident but no data has been exfiltrated nor lost and the incident is being controlled". Based on that advice, ACL determined that the incident was not an eligible data breach that needed to be reported to the regulator or customers. 

• However, on 25 March 2022, the Australian Cyber Security Centre (ACSC) notified ACL that it had received intelligence that Medlab may be the victim of a ransomware attack. ACL informed the ACSC that it did not believe that data had been taken and did not make any notification to the OAIC. 

• On or before 16 June 2022, 86 gigabytes of Medlab data containing the personal and sensitive information of around 223,000 individuals was published on the dark web. On 16 June 2022, the ACSC sent ACL a second notification, advising ACL of the publication of data, including personal information, health information, and financial information such as credit card details. 

• ACL sought legal advice after this second notification and undertook an assessment of the leaked data. On 10 July 2022, ACL formally notified the OAIC of the data breach.

The OAIC commenced an investigation into ACL's handling of the incident in December 2022 and brought civil penalty proceedings on 3 November 2023. These are the first data breach civil penalty proceedings brought by the OAIC and the first to reach a resolution. 

Judgment by agreed facts and consent 

The statement of agreed facts and admissions was agreed by the Commissioner and ACL, and ACL consented to the declarations and penalties sought by the Commissioner. This is a common approach used by other regulators, to help promote the predictability of outcomes and encourage corporations to cooperate in regulatory proceedings and admit contraventions to avoid extended litigation.

It is important to read the judgment in this light – the parties did not contest the claim before the court, meaning the court did not have to weigh evidence or arguments around how the relevant obligations under the Privacy Act should be interpreted. Instead, the court’s role was more limited: it was required to determine whether, on the basis of the agreed facts and admissions, it was independently satisfied there was in fact a contravention of the Privacy Act, whether declarations of contravention should be made, and whether the civil penalty amount is within the permissible or acceptable range determined by all the relevant factors and circumstances. The court retained a discretion to impose a different penalty if it considered the agreed penalty was not appropriate in all the circumstances.

The $5.8 million penalty and what it means

Assessment of the 'permissible range'

Although ultimately approving the penalty, the court also noted that $5.8 million may appear "manifestly inadequate" or at least outside the range of penalties that would act as effective deterrence. Factors indicating that a larger penalty might have been appropriate include the nature of the contravention, the potential harm caused, and that ACL was one of Australia's largest private hospital pathology businesses with annual revenue peaking at $995.6 million at the time of the breaches.

Approximately 223,000 individuals were affected by ACL's breach of its APP 11.1 security obligations, exposing ACL to a theoretical maximum penalty of approximately $495 billion (on the basis of a separate contravention for each individual). Against this theoretical maximum, ACL and the Commissioner agreed and proposed a penalty of $4.2 million in respect of APP 11.1. 

However, the court was ultimately satisfied that the agreed penalty was within the range of permissible penalties. The court took into account various factors including ACL's clean record among other things, its ongoing steps to develop a culture of compliance, the fact it had publicly apologised, co-operated with the Commissioner and admitted the contraventions, and the totality principle, which is designed to avoid an oppressively severe penalty, to arrive at an "instinctive synthesis" of competing factors that the agreed penalty was appropriate (and not merely a "cost of doing business"). 

What is a 'serious’ interference?

This penalty was calculated under section 13G of the Privacy Act, which at the time imposed a civil penalty of $2.22 million for a "serious or repeated" interference with privacy. 

In applying this provision, the court took into account judicial consideration in other contexts (referring to decisions under the Australian Securities and Investments Commission Act 2001 (Cth) and the Corporations Act 2001 (Cth)) and considered serious to mean a "grave or significant" or "weighty, important, grave and considerable" contravention, to be determined "by reference to the degree of the departure from the requisite standard of care and diligence and the nature of the conduct".

While we expect similar considerations to remain relevant, important changes to the Privacy Act in 2022 and 2024 have changed how penalties will be calculated for a serious interference with privacy. The penalty range is now up to $50 million, three times the benefit or 30% of specified turnover, and there is no longer a separate limb for a "repeated" interference. As a result, in the future it will be easier for a court to both find a contravention and award a materially greater pecuniary penalty. 

To read more about revised penalties, including new tiered enforcement options now available, see Australia's first tranche of privacy reforms – a deep dive and why they matter.

What went wrong, at a glance?

Lessons for organisations

Robust cyber governance requires a clear understanding of an organisation’s cyber risks, and the effectiveness of controls (technical and operational) in place to secure information. The steps taken by organisations, along with internal and external capabilities, need ongoing review to consider each of these factors as they evolve. 

2) Over-reliance on third party advice can amount to a failure

ACL admitted it did not have adequate internal capabilities to detect and respond to cyber incidents. These deficiencies led to an over-reliance on its external cyber security service provider, a factor the court took into account in considering whether ACL had taken reasonable steps to protect personal information, as well as whether ACL’s failure was “serious.”

It is not sufficient for an entity to outsource compliance and rely on third parties to discharge its obligations – organisations are expected to make their own critical inquiries rather than delegating responsibility away.  

External cyber security service providers are an essential resource to support and complement internal skills, which should bring an independent view and avoid blind spots like self-assessment bias. But it is clear from the ACL decision that external expertise is not enough – entities are expected to have their own cyber resilience and response capabilities. 

The right cyber security partner will do more than review cyber resilience capabilities or help respond to an incident – they will help their clients build internal cyber resilience capabilities.

A productive engagement also means understanding the limits of a service provider. In ACL’s case, investigations were not thorough enough to be relied upon, and comments from ACL’s technical service provider drove decisions about ACL’s legal obligations to investigate and report data breaches under the Privacy Act. 

3) Ongoing commitment to cyber uplift can help reduce penalties

Importantly, the court noted that ACL had begun its review and uplift of cyber security capability before the cyber attack, and continued to take steps following the incident, which helped demonstrate that ACL sought and continues to seek to "take meaningful steps to develop a satisfactory culture of compliance". 

This commitment to uplift was specifically noted as an ameliorating factor in assessing the penalties, helping to justify a lower penalty than might have otherwise been imposed, despite ACL admitting deficiencies and failures to meet the notifiable data breach obligations. Even where there are failures, this recognises that bona fide uplift programs will be recognised and rewarded – and provides a further incentive for organisations to take demonstrable action before and after an incident. 

4) Incident investigation and response needs a cross-disciplinary team

As noted, one of the key failings arose because ACL's cyber security service provider conducted a limited investigation of the cyber incident, reporting that it believed no data had been exfiltrated and that threats to post data on the dark web were a "scare tactic". It wasn’t until the ACSC advised ACL that data had been published on the dark web that ACL sought legal advice and notified the OAIC of the data breach – around six months after the cyber attack, 

The court found that these limited investigations did not meet the standard required under the Privacy Act. 

Data breach investigation is not the same as cyber incident root cause analysis – it needs a multi-disciplinary team that understands cyber security, disciplined and defensible risk assessment (including the risk that individuals may suffer harm), and rapidly developing legal requirements and regulatory expectations.

With the right team, post-incident investigations can be operationally effective to respond to live threats, satisfy legal processes, and produce findings that can be relied upon to take the right actions – like notifying regulators, and ensuring that customers are notified to protect themselves from further harm.

5) Buyer beware! M&A is a time for assessing cyber security risk: the buyer acquires not just a business, but also its cyber security risks