Australian Clinical Labs must pay $5.8 million over a 2022 data breach, marking the first civil penalty imposed under the Privacy Act.

A cyberattack on ACL’s Medlab Pathology business resulted in unauthorised access and removal of personal information for more than 223,000 people. ACL admitted contraventions of the act.  

“For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the [Office of the Australian Information Commissioner],” privacy commissioner Carly Kind said.  

The case is “an important turning point” in the enforcement of privacy laws and should serve as a “vivid reminder” to entities that serious data protection failures have consequences, Ms Kind says.

The Federal Court has imposed a $4.2 million penalty for ACL’s failure to take reasonable steps to protect personal information held on Medlab Pathology’s IT system.

A further $800,000 was imposed for failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred after the cyberattack; another $800,000 was added for failure to give to the information commissioner a statement.  

ACL must also pay $400,000 towards the OAIC’s costs.  

The company’s revenue was almost $1 billion in the year of the breach, and it employed about 5400 staff.  

Medlab’s IT team leader had received no training on responding to cyberattacks or how to use a ransomware playbook.

Justice John Halley says the group’s contraventions were “extensive and significant” and resulted from insufficient diligence.

Mitigating factors were that ACL apologised and admitted liability, co-operated with investigators, has stepped up cybersecurity and is developing a compliance culture.

The 2022 penalty regime was capped at $2.22 million per contravention, but penalties of up to $50 million – or three times the benefit derived from misconduct, or up to 30% of turnover – are now possible.

“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information, as future action will be subject to higher penalty provisions now available,” information commissioner Elizabeth Tydd said.

Law firm Moray & Agnew says the decision is “instructive”.

“It highlights the kinds of penalties a court is prepared to apply if a data breach occurs,” it said. “Businesses should not take their privacy and information management obligations for granted.”