Australian Clinical Labs ordered to pay AUD5.8 million following cyber incident

By Sarah Birkett & Clarissa Kwee on October 21, 2025

Posted in Cyber security, Data security and breaches

Australian Clinical Labs (ACL) has been ordered to pay AUD5.8 million for breach of the Privacy Act 1988 (Cth) (Privacy Act) following a 2022 cyber incident which impacted the personal information of over 223,000 individuals. This is the first ever civil penalty proceeding under the Privacy Act.

ACL was held to have breached three separate requirements under the Privacy Act, by failing to:

Take reasonable steps to protect the personal information held by it, as required under Australian Privacy Principle (APP) 11.1;
Carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyber incident, as required under s 26WH(2) of the Privacy Act; and
Notify the Australian Information Commissioner (Commissioner) of the cyber incident “as soon as practicable”, as required under s 26WK(2) of the Privacy Act.

Significantly, for the purpose of calculating the civil penalties it was held that a separate breach of the information security requirement in APP 11.1 arose in respect of each of the 223,000 individuals whose personal information was held on deficient IT systems.

For larger businesses, this method of calculating penalties could result in significantly higher sums being payable, and for incidents occurring after 13 December 2022 these penalties may be up to the greater of AUD 50 million, three times the value of the benefit obtained from the breach or 30% of adjusted annual turnover.

Role of due diligence

The cyber incident occurred within the environment of ACL’s subsidiary, Medlab Pathology, which ACL acquired in December 2021 (approximately 3 months before the cyber incident occurred). Certain vulnerabilities in Medlab Pathology’s IT systems were not identified by ACL prior to the acquisition, as ACL intended to fully integrate Medlab Pathology into its own IT environment within 6 months.

The deficiencies of Medlab Pathology’s IT systems could have been mitigated by more detailed cyber security due diligence.

This decision means that buyers will need to ask more granular questions to satisfy themselves of the effectiveness of a target’s cyber security regime, and the integrity of the target’s assets, and not simply seek to address cyber security via the post-completion integration process. For example:

Buyers must determine if appropriate technical security measures are maintained by the target. Medlab Pathology’s IT systems lacked key security measures such as effective antivirus software, file encryption and firewalls with persistent logging configuration, which were necessary given the nature and volume of personal information held by it.

Buyers should go beyond a “desktop review” of the target’s cyber security processes, including by seeking evidence that the processes have been independently assessed. For example, has the target recently conducted penetration testing of its key online environments? Has any open-source software used by the target been assessed for critical vulnerabilities?

Where there are gaps in the information available as part of the due diligence process, buyers will need to consider whether it is practicable to conduct relevant assessments for themselves prior to completion.

Remediation of critical vulnerabilities in key systems holding large volumes of personal information or sensitive information should be a condition precedent to completion.

Buyers should also seek to confirm the maturity of the target’s operational security measures by identifying not just plans and processes, but also when those plans and processes were last reviewed and tested. ACL was held to have performed inadequate testing of Medlab Pathology’s incident management processes in the period between the acquisition and the cyberattack. An incident response plan is of limited value if not routinely tested.

Other key takeaways

Other key compliance points to note are as follows:

Higher standards are expected from entities operating in high-risk sectors, such as health care. This confirms the Commissioner’s guidance that what is considered “reasonable” is not a one-size-fits-all standard, and must be assessed depending upon the volume and sensitivity of personal information held by an entity, its resources and the scale of the cybersecurity risks it faces.

Cyber incident playbooks must clearly define roles and responsibilities for incident response efforts, detail the containment processes that should be deployed in the event of a cyber incident, and steps to mitigate the exfiltration of data. Additionally, it is not enough to simply prepare a playbook – key individuals within the response team must be familiar with, and trained on, the playbook prior to an incident occurring.

Despite the absence of any fixed time scales under the Privacy Act for notification of eligible data breaches to the Commissioner, prompt action is required. A period of 2 – 3 days after becoming aware that an eligible data breach has occurred should be considered ‘practicable’ in most cases, given the relatively limited fields of mandatory information which need to be included in notifications to the Commissioner.

Whilst external forensic experts may be engaged to assess suspected incidents, unreasonable reliance on third-party advice (even if that third party is a subject-matter expert) will not protect businesses from liability. In-house expertise is required to critically analyse the advice provided and independently assess whether an eligible data breach has occurred.

DLA Piper acted for the Commissioner in these proceedings. See here for further information on other aspects of the decision.