In a critical warning to businesses about insufficient data protections, the Federal Court issued the first financial penalty under the Privacy Act following a cyber breach. Hospital pathology company Australian Clinical Labs (ACL) is the first organisation nationally ordered to pay regulatory penalties (amounting to $5.8 million) after a data breach affecting 223,000 people1.
As a result personal information such as credit card and passport details was released onto the dark web, with ACL learning of the breach in February 2022 but delaying making a full mandatory report to the Office of the Australian Information Commissioner (OAIC) until the following July.
In 2023 the OAIC notified ACL it was bringing charges against the company for insufficient data protection.
Lack of sufficient data protections contributed most to the penalty imposed
Key infractions covered by the penalty include:
- $4.2 million (over 70% of the penalty) for failure to take reasonable steps to protect personal information — which was in part due to too closely relying on external IT security providers
- $0.8 million for failure to conduct a timely assessment of whether the cyberattack amounted to an eligible data breach
- $0.8 million for failure to notify the Commissioner of the breach as soon as practicable
- $0.4 million for Office of the Australian Information Commissioner's (OAIC) costs.
These amounts signal the need for businesses to check their sums insured for coverage inclusions and levels imposed for fines and penalties for privacy exposures around personal information breaches.
Key weaknesses in business cyber security that led to failure
The Federal Court identified several failures by ACL in its legal requirements under the Privacy Act2.
The business's over-reliance on external services, such as its third-party cyber security IT services provider, was a key factor in that it failed to take reasonable steps to protect personal data and had limited ability to respond to cyber security issues, considering
- the size and nature of ACL's business
- the amount of sensitive personal data it held
- the level of cyber security risk and potential for harm
- the extent of existing MedLab systems deficiencies
- the due diligence process prior to acquisition.
How a business acquired by the company created a cyber risk
When ACL acquired MedLab Pathology it inherited both its IT systems and sensitive patient data. Just months after the acquisition, cyber criminals the Quantum Group launched a ransomware attack on MedLab's systems, exploiting critical vulnerabilities and resulting in a major data breach and the publication of 86 gigabytes of data on the dark web.
During the preparation for the MedLab acquisition ACL overlooked relevant vulnerabilities and deficiencies in the vendor business's ability to respond to cyber threats and implement rapid remediation, indicating a lack of rigorous due diligence in this critical area.
Lack of cyber breach response planning maximises damage potential
Another key failing identified was ACL's inadequate cyber breach response protocols, lack of incident management testing and absence of preventative tools or clear roles and responsibilities in relation to data breaches.
ACL also failed to notify the OAIC of the breach within a reasonable time, taking weeks instead of days to report the data loss.
These deficiencies were compounded by inadequate cyber security monitoring, plus no data recovery contingencies — or requirement for MedLab staff to use multifactor authentication for virtual private network (VPN) access.
Critical cyber security learnings from the first Privacy Act penalty
- Businesses should be aware that regulators are empowered to impose substantial sanctions and penalties of up to $50 million or a third of annual turnover per contravention for non-compliance with Privacy Act requirements3.
- Each person affected by the breach represents a unique contravention of the Act, increasing the potential penalties for large-scale incidents.
- Eligible breaches must be reported within days, without waiting on external assessments.
- Business acquisitions need to be subjected to scrutiny of inherited privacy and cyber security liabilities and remediating action taken before ownership is transferred.
- Organisations need to have internal cyber security risk management and breach response planning in place, rather than relying on third party providers.
How cyber insurance can support business's security
Cyber insurance provides access to a range of legal and technical experts to help address privacy obligations and reduce operational disruption. Cyber insurance may also cover the financial loss incurred as a result of business interruption, remediation costs, reputational impacts and may help with paying fines or penalties imposed under the Privacy Act.
Coverage advice from specialist cyber insurance brokers is critical in an insurance market where coverage varies significantly and cyber threats are complex and changing constantly.
Key reminders for cyber security:
- Review and stress test your cyber incident response plan
- Need for ongoing cyber security uplift: take continuous reasonable mitigation steps, regular reviews and improvements and especially following any cyber learnings or incidents. This also needs to be applied to external IT service providers.
- Importance of cybersecurity due diligence in merger and acquisition (M&A) transactions
- Adequacy of insurance coverage for potential regulatory penalties.
In addition to cyber insurance protection, Gallagher offers cyber expertise, advice and resources for building business resilience to help withstand cyber security incidents.
Sources
1 Australian Clinical Labs faces first Privacy Act civil penalty order with $5.8m payment, cyberdaily.au, 9 Oct 2025
2 Notifiable data breaches, Office of the Australian Information Commissioner, accessed 25 Nov 2025
3 $5.8 Million Privacy Penalty — A First For Privacy Law Enforcement, Mondaq, accessed 25 Nov 2025
