ARTICLE
6 October 2025

First Civil Penalty Under The Privacy Act Of $5.8 Million Agreed By ACL: What You Need To Know

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
On 29th September, Australian Clinical Labs (ACL) and the OAIC informed the Federal Court of Australia that they had reached agreement on a $5.8 million penalty...
United Kingdom Privacy
Christine Wong,Cameron Whittfield,Sara Bortz
+1 Authors
 Your Author LinkedIn Connections

On 29th September, Australian Clinical Labs (ACL) and the OAIC informed the Federal Court of Australia that they had reached agreement on a $5.8 million penalty arising from ACL's 2022 data breach involving the personal information of 223,000+ Medlab customers. This is likely to be the first civil penalty under the Privacy Act. The parties' agreed position was supported by a Statement of Agreed Facts and Admissions (SAFA): this is linked.

How was the penalty calculated?

The penalty agreed by the parties was broken into the following components:

  • $4.2 million for failing to take reasonable steps to protect the personal information of Medlab customers (APP11).
  • $800,000 for contravening s 26WH(2) of the Privacy Act, which requires an entity to conduct an assessment of whether there are reasonable grounds to believe that a data breach has occurred (i.e. whether there has been an 'eligible data breach') ; and
  • $800,000 for contravening s 26WK(2) of the Privacy Act, which requires an entity to prepare a statement about a data breach as soon as reasonably practicable after becoming aware of such a breach (i.e. notify the Privacy Commissioner and impacted individuals).

It is now a matter for the Court to determine whether the $5.8 million penalty is appropriate.

Will we see more privacy penalties from the OAIC?

The OAIC has two further civil penalty proceedings against companies arising from significant 2022 data breaches. It's difficult to know the next step, but this demonstrates an intention to pursue penalties in relation to privacy breaches and incident response.

What does the SAFA in this matter tell us?

The following facts were agreed between the parties (and so were not Court findings). Despite this, they provide an indication of the types of issues we should consider to ensure cyber posture and response capabilities are adequate.

Broadly, the facts demonstrate the need to:

  • conduct robust and technically informed cybersecurity due diligence during M&A transactions;
  • properly test incident response plans; and
  • prioritise early risk mitigation, especially when integrating legacy systems.
  1. Limited due diligence. ACL acquired Medlab only a few months' before the cyber attack occurred:
    1. ACL's due diligence relied heavily on questionnaire responses and it did not demonstrate a "complete understanding" of Medlab's IT systems.
    2. Notwithstanding that ACL was aware that Medlab did not have sophisticated IT and cybersecurity processes in place and that those were less mature than ACL's, Medlab had not conducted recent audits or vulnerability or penetration testing.
    3. Critical weaknesses in Medlab's IT systems were not identified, including outdated software, lack of multi-factor authentication to use a VPN, lack of encryption and insufficient monitoring.
  2. Post-acquisition exposure. The cyber incident occurred during the integration phase, when Medlab's systems were still operating independently. ACL was aware that the Medlab systems were significantly more exposed to the risk of a cyber attack.
  3. Deficiencies in the response
    1. Playbooks contained generalised steps, with limited detail on containment. They did not clearly define roles and responsibilities, and there were limited communications plans.
    2. Incident management processes had not been tested during the 2-month period between the completion of the acquisition and the date of the cyber attack (only a tabletop exercise was completed), and Medlab individuals initially tasked with managing the response had not received training on, or seen, the playbook.
    3. Technology controls were lacking, such as endpoint and response tooling, application whitelisting, security monitoring and data recovery plans.
  4. Investigation and notification gaps and delays. It took around 4.5 months between the incident occurring and ACL notifying the Commissioner under s26WK of the Privacy Act. Notifications to impacted individuals commenced 8 months after the incident was initially detected. It was therefore noted that:
    1. ACL failed to carry out a reasonable and expeditious assessment of whether there were reasonable grounds to believe that an eligible data breach had occurred. ACL knew that the initial forensic investigation from ACL's third-party provider (which failed to identify the data exfiltration) was unreasonably limited and inadequate. For example, only 3 of the 127 computers impacted were analysed and there was no attempt to assess the likelihood of this threat actor exfiltrating the data.
    2. ACL was subsequently notified by the Australian Cyber Security Centre of the exfiltrated data. It notified the Privacy Commissioner almost a month afterwards, when it should have been capable of doing so within 2-3 days.
  5. Forensic investigation gaps. ACL's initial forensic investigation was limited in scope and failed to detect data exfiltration. ACL received advice and assistance from a third party forensic provider to the effect that personal information had not been exfiltrated. However, that position was incorrect, which ACL was notified of by the Australian Cyber Security Centre. Sensitive data from over 223,000 individuals was later confirmed to have been stolen and published on the dark web, including financial details, tax file numbers, ID information, contact and health information.
  6. Uplift steps taken by ACL: ACL improved its corporate culture of compliance throughout the relevant period with regard to cybersecurity. Prior to the incident occurring, it had engaged a third party to undertake a review, and developed a program of works to uplift its cybersecurity capabilities. A further expert was engaged in the months leading up the cyber incident, with findings of good governance around the improvement plans.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Christine Wong
Christine Wong
Photo of Cameron Whittfield
Cameron Whittfield
Photo of Brooke Crenfeldt
Brooke Crenfeldt
Person photo placeholder
Sara Bortz
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More