ARTICLE
14 October 2025

Australian Clinical Labs Fined AU$5.8 Million For 2022 Medlab Data Breach In An Australian First

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore Firm Details
The Federal Court has ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties following a 2022 data breach involving its then-newly acquired Medlab Pathology business.
Australia Privacy
Cameron Abbott,Rob Pulham, and Stephanie Mayhew
Cameron Abbott’s articles from K&L Gates LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Business & Consumer Services, Media & Information and Securities & Investment industries

The Federal Court has ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties following a 2022 data breach involving its then-newly acquired Medlab Pathology business. The breach affected over 223,000 individuals whose data was accessed and infiltrated by malicious actors and is one of Australia's most significant healthcare cyber incidents.

This marks the first time civil penalties have been imposed under the Privacy Act 1988 (Cth), setting a critical precedent for privacy enforcement in Australia.

ACL was found to have breached several obligations and was fined:

  • AU$4.2 million for failing to take reasonable steps to secure personal information (APP 11.1), with over 223,000 contraventions of s 13G(a).
  • AU$800,000 for not conducting a timely and adequate assessment of whether the breach was an "eligible data breach" under s 26WH(2).
  • AU$800,000 for delays in notifying the Commissioner about the breach (s 26WK(2)).

Justice Halley described the breaches as "extensive and significant," highlighting failures in senior management oversight, risk management, and the potential for serious individual harm. Although ACL cooperated, admitted liability, and began improving cybersecurity, the ruling is a warning to organisations handling sensitive information to have robust and compliant breach response processes.

With penalties having increased since ACL's breach, now up to AU$50 million per breach, this case signals a turning point in privacy enforcement in Australia and sends a clear message: serious privacy failures will come with serious consequences.

Key Lessons

  • Plan ahead: Delays in assessing and reporting breaches were penalised. Legal, cybersecurity, and privacy teams must align to ensure incident response frameworks are ready.
  • Cyber due diligence: Poor IT integration during ACL's acquisition of Medlab was noted. Acquirers must conduct thorough data and cyber due diligence, especially when sensitive personal information is involved.
  • Regulatory pressure is rising: This case used the old (lower) penalty regime. Under current laws, boards and executives face even greater accountability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Cameron Abbott
Cameron Abbott
Photo of Rob Pulham
Rob Pulham
Photo of Stephanie Mayhew
Stephanie Mayhew
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More