Penalties awarded for breach of the Privacy Act

date
12 November 2025
category

The first civil penalty proceeding brought by the Australian Information Commissioner for alleged breaches of the Privacy Act 1988 (Cth) has resulted in the Federal Court determining the aggregate pecuniary penalty of $5.8M fell within the permissible range.

In issue

  • Whether the respondent had contravened s13G(a) of the Privacy Act 1988 (Cth) (the Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure.
  • Whether the respondent had contravened s13G(a) by breaching s26WH(2) of the Act by failing to conduct a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the Medlab Cyberattack amounted to an eligible data breach.
  • Whether the respondent had contravened s13G(a) by breaching s26WK(2) of the Act by failing to notify the applicant as soon as practicable after becoming aware of reasonable grounds to believe that the Medlab Cyberattack amounted to an eligible data breach.

The background

As the largest provider of health care services in Australia, Australian Clinical Labs Ltd (the respondent- ACL), collected and held personal and sensitive information of its patients.

On 19 December 2021, ACL acquired MedLab Pathology Pty Ltd (Medlab), which included ownership and control of Medlab’s information technology systems.

On or around 25 February 2022, the Quantum Group initiated a cyberattack against Medlab, resulting in some 86 gigabytes of sensitive health information for over 223,000 individuals being accessed and published on the dark web (cyber attack).

As a result of the cyber attack, ACL contacted its third-party cybersecurity provider, StickmanCyber (Stickman), to investigate the cyber attack. Based on its investigations, Stickman advised that no data had been lost and/or exfiltrated.

Despite being notified by the Australian Cyber Security Centre (ACSC) that ACL may have been the victim of a ransomware incident, and reminded that ACL may be required to notify the Australian Information Commissioner and affected individuals, ACL advised the ACSC that it did not believe any data had been exfiltrated.

On or before 16 June 2022, 86 gigabytes of data was published by Quantum Group on the dark web, which contained complete credit card information and personal information of Medlab's patients.

On 10 July 2022, ACL provided a statement under s26WK of the Act notifying the applicant, the Australian Information Commissioner (Commissioner).

The Commissioner claimed that ACL breached s13G(a) of the Act by failing to conduct a reasonable assessment of whether there were reasonable ground to believe that the Medlab Cyberattack had amounted to an eligible data breach, and by failing to notify Commissioner as soon as practicable after becoming aware of the grounds to believe that same attack had amounted to an eligible data breach. ACL acknowledged it did not take 'such steps as are reasonable in the circumstances' in the agreed facts and admissions provided to the Court. The Court’s primary considerations were the extent to which the relevant sections were contravened and what penalty to impose.

The decision at trial

At trial, the Court was satisfied that ACL did not take 'such steps as are reasonable in the circumstances' to protect the personal information held on Medlab’s IT systems, from, relevantly 'unauthorised access' and 'unauthorised disclosure'. Particularly so, taking into account the volume and sensitivity of the information, and the inability of ACL to detect and respond to cyber incidents by itself.

In determining that the agreed penalty of $5.8 million was appropriate, the Court took into account that:

  1. The contraventions were extensive and significant
  2. ACL’s contraventions of s13G(a) of the Act resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack
  3. While not possible to quantify the loss and damage caused, the contravening conduct had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and materials inconvenience
  4. The contraventions had the potential to have a broader impact on public trust on entities holding private and sensitive information of individuals
  5. ACL is and was one of Australia’s largest private hospital pathology businesses which was relevant to deterrence, and
  6. ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT system into ACL’s systems, and ACL’s response to the cyber attack.

The above matters were weighed against a number of ameliorating considerations, including:

  1. ACL did not derive financial gain from the contraventions
  2. ACL did not have any prior history of contravening the Act, or engaging in any similar conduct
  3. The contraventions were not deliberate
  4. ACL had begun reviewing its cybersecurity processes prior to the cyber attack, which included steps being taken to increase the company’s cybersecurity capabilities
  5. ACL had co-operated during the investigations
  6. ACL had admitted to the contraventions prior to the hearing on liability
  7. ACL’s CEO had apologised for the cyber attack, and
  8. Despite the fact there had been approximately 223,000 contraventions, these arose from a single course of conduct, which was the failure to have in place adequate cybersecurity controls to protect the personal information held by Medlab.

Implications for you

This case highlights the importance of APP entities being aware of their obligations when it comes to matters of cyber security, especially when navigating the legislative requirements for the reporting of cyber-attacks. While organisations often rely on external consultants in relation to cyber security, the obligation to comply with the legislation falls on the organisation. It is imperative that entities develop well thought out Cyber Incident Response Plans which address not only immediate steps to be taken following a cyber-attack but also considers and address reporting obligations.

Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

get in touch
media
Michael Chen
Senior Associate
share

Ask us how we can help

Receive our latest news, insights and events
Insurance & Health
Family Law, Wills & Estates
Meet our team
Knowledge Hub
Who we are
Barry Nilsson acknowledges the traditional owners of the land on which we conduct our business, and pays respect to their Elders past, present and emerging.
© Barry Nilsson 2025
Privacy policy Terms of Use Staff Access Reset
Liability limited by a scheme approved under Professional Standards Legislation