On 8 October 2025, the Federal Court handed down its first civil penalty under the Privacy Act 1988 (Cth) ("Privacy Act"), marking a pivotal moment in Australian privacy enforcement. Australian Clinical Labs Limited ("ACL") agreed with the Australian Information Commissioner ("Commissioner") to pay a $5.8 million penalty for contraventions relating to a cyberattack on Medlab Pathology Pty Ltd ("Medlab") that occurred in February 2022 – an incident that occurred just nine weeks after ACL acquired the Medlab business ("Medlab Cyberattack"). 

Background

The decision sets a new benchmark for privacy compliance and cyber due diligence in Australia. Key takeaways for organisations include:

1. Assess and rectify any IT systems vulnerabilities – Australian Privacy Principle ("APP") 11.1 imposes strict obligations on entities to secure personal information.
2.  Strengthen internal governance – cybersecurity and incident response must be owned internally; outsourcing is not a substitute for accountability.
3.  Conduct thorough IT due diligence during acquisitions – identify and address system weaknesses early.
4. Treat personal data with care – each person affected by a data breach may represent a separate contravention under the Privacy Act.
5. Engage legal counsel early – organisations have approximately 72 hours to a suspected eligible data breach.

The Medlab Cyberattack

ACL is a publicly listed company and is one of the largest private hospital pathology businesses in Australia. In December 2021, it acquired the assets of Medlab, a pathology business providing services in New South Wales and Queensland. In February 2022, a cyberattack was carried out by a malicious actor known as the Quantum Group, targeting Medlab's computer network and extracting 86 gigabytes of data, including the personal and sensitive information of more than 223,000 individuals, which was then published on the dark web. The stolen information included passport numbers, health records, and credit card details.

ACL engaged a third-party service provider to investigate and respond to the Medlab Cyberattack, however, the investigation was limited and reviewed one firewall log and 3 out of the 127 computers subject to ransomware. On the independent provider's advice, ACL determined that no "eligible data breach" had occurred. The Australian Cyber Security Centre notified ACL in March 2022 and then again in June 2022 that Medlab may have been a victim of a ransomware incident. In October 2022, ACL made an ASX announcement and public apology in relation to the Medlab Cyberattack.

Legal findings and penalties

ACL admitted to the following contraventions of the Privacy Act in relation to its response to the Medlab Cyberattack:

1.  serious interference with the privacy of 223,000 individuals because ACL failed to take reasonable steps to protect their personal information from unauthorised access and unauthorised disclosure (constituting 223,000 separate contraventions of APP 11.1(b) and Privacy Act section 13G(a));
2. failing to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to suspect that there has been an eligible data breach (Privacy Act section 26WH(2)); and
3. failing to notify the Commissioner as soon as practicable after it became aware of the eligible data breach (Privacy Act section 26WK(2)).

The Court ordered that ACL pay civil penalties totalling $5.8 million and a contribution of $400,000 towards the Commissioner's costs in the proceeding.

What constitutes "reasonable steps" under APP 11.1?

This case marks the first time that the Federal Court has provided guidance on what steps an organisation must take following a cyberattack to meet its obligations under the Privacy Act.

Under APP 11.1(b), entities that hold personal information are expected to take reasonable steps to protect that data from unauthorised access, modification or disclosure. What is considered to be objectively “reasonable” will depend on the specific circumstances of the incident. Going forward, the court is likely to assess factors such as:

1.  the sensitivity of the personal information;
2.  the potential harm to individuals if the information was accessed or disclosed;
3. the size and sophistication of the entity;
4. the cybersecurity environment in which the entity operates; and
5. whether any previous threats or cyberattacks have been made against the entity.

An entity does not need to take all steps that are reasonable in the circumstances, it must choose a course of action that is objectively reasonable (which does not mean exhaustive).

In deciding that ACL did not take reasonable steps in response to the Medlab Cyberattack and so contravened APP 11.1(b) and section 13G(a) of the Privacy Act, the Federal Court considered:

1. that ACL is one of Australia's largest private hospital pathology businesses (with access to large volumes of sensitive personal information) and operates in a high cyber threat landscape;
2. the risk of harm to individuals if their health and personal information was disclosed;
3. cybersecurity deficiencies in Medlab's IT systems, for example, weaknesses in its antivirus software, lack of file encryption and weak authentication measures;
4. ACL's failure to identify cybersecurity deficiencies prior to the acquisition of Medlab and its delay in rectifying cybersecurity deficiencies post-acquisition; and
5. the overreliance that ACL placed on third party providers to respond to cyber incidents and lack of adequate internal procedures.

This decision also provides new clarity over the meaning of a "serious" contravention of the Privacy Act; it may be construed as "grave or significant" and is determined by reference to the nature of the conduct, not the seriousness of the provision that has been contravened. ACL's contraventions were "serious" for reasons including that the volume of the sensitive health information and extent of the deficiencies in both Medlab's IT systems and cyberattack response significantly heightened the risk that personal information would be exposed to unauthorised access.

Timely notification: a legal imperative

Under section 26WK(2) of the Privacy Act, an entity is obliged to assess a cyber incident and report to the Commissioner as soon as practicable after it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The timeline for reporting is two to three days of becoming aware of the possible breach. Given the constrained timelines of the Privacy Act, it is important to seek legal advice quickly and early in the event of a cyberattack.

This decision illustrates that companies should be careful to conduct assessments and notify the Commissioner appropriately and with haste. Even despite ACL receiving independent advice that no personal data had been exfiltrated and no person harmed by the Medlab Cyberattack, the Court concluded that there was an eligible data breach because ACL's was aware of circumstances that were objectively sufficient to enliven the requisite state of suspicion. An organisation must have robust internal cybersecurity processes and be capable of scrutinising any independent advice.

Mitigating risks and penalties: practical guidance

The severity of the civil penalties available to the court for breaches of the obligation to protect personal information should be noted. At the time of ACL's contraventions, the maximum penalty for its breaches of APP 11.1 was $495,060,000,000. The court was persuaded that the agreed aggregate penalty of $5.8 million was appropriate because ACL made a public apology, it cooperated with the Commissioner's investigation, it had no history of similar conduct, and the contraventions did not arise from deliberate misconduct by senior management. To mitigate potential penalties, organisations are encouraged to take proactive steps to rectify any cybersecurity or incident response failures (such as by undertaking breach simulations and ensuring board oversight).

This landmark decision underscores the need for proactive cybersecurity governance, rigorous due diligence, and timely breach response. If your organisation is navigating similar risks or would like to assess its privacy compliance status, please contact the Clifford Chance team.