Landmark decision: Australian Clinical Labs to pay penalties

12 minute read 14.10.2025 John Fairbairn and Jaimie Wolbers

The first civil penalty hearing brought under the Privacy Act 1988 (Cth) has concluded with the Court ordering Australian Clinical Labs to pay $5.8M in penalties.

Key takeouts

The judgment provides guidance on the factors the Court will consider when evaluating whether the entity has complied with APP 11 (Security of Personal Information), the mandatory breach reporting obligations, and how the civil penalty provisions will be applied.

The judgment also highlights how privacy and cybersecurity due diligence is critical for entities involved in M&A activity, and that companies cannot escape their obligations or avoid liability merely by relying on third party service providers.

The OAIC is currently pursuing Medibank and Optus for civil penalties in connection with large data breaches that affected those companies. In each of those cases, over 9.5 million individuals were affected.

While the Privacy Act 1988 (Cth) (Act) has been in force for 37 years, there have been very few Federal Court decisions that have considered its provisions. On 8 October 2025, Justice Halley delivered judgment in Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224.

This case marks the first time a court has considered Australian Privacy Principle (APP) 11 (security of personal information), the mandatory data breach provisions, and penalty provisions under the Act. It provides important guidance to organisations on compliance in circumstances where the regulator now has greater enforcement powers, and access to increased maximum civil penalties following amendments to the Act in 2022 and 2024.

Relevant facts about Australian Information Commissioner v Australian Clinical Labs Limited [2025]

The matter was not a fully contested hearing, with most of the facts agreed. The focus was on whether the penalties sought by Australian Information Commissioner (AIC) and accepted by Australian Clinical Labs (ACL) were appropriate. The parties provided the Court with a Statement of Agreed Facts and Admissions (SAFA), which are annexed to the judgment. The SAFA included a caveat that the matters are not disputed "for the purpose of the proceeding".

ACL was at the relevant time one of Australia's largest private hospital pathology businesses with annual revenue well in excess of $600M.

On 19 December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (Medlab). Medlab was a privately owned pathology business that provided health services in New South Wales and Queensland, including prenatal genetic testing, fertility assessments, and testing for sexually transmitted diseases. At the time of the acquisition, Medlab collected and held personal and sensitive information, including health information, contact information, passport numbers, credit card information, and payment details of its customers. Prior to the acquisition, ACL had conducted limited diligence in connection with Medlab's cybersecurity practices and compliance with obligations arising under privacy laws.

The diligence was primarily conducted by way of a "Cybersecurity and Privacy Questionnaire". ACL was aware at the time of acquisition that Medlab had not conducted an IT penetration test, vulnerability assessment or IT security audit in the previous six years, and that Medlab did not have sophisticated cybersecurity processes in place. However, the full extent of the deficiencies were not apparent to ACL until sometime after they took control of the Medlab IT Systems. The deficiencies included weak authentication measures, lack of file encryption, and inadequate antivirus software

On or before 25 February 2022, a threat actor known as the Quantum Group initiated a cyberattack against the Medlab IT Systems and made a ransomware demand.

ACL's initial response to the cyberattack relied heavily on a third-party cybersecurity services provider, StickmanCyber, which had been engaged by ACL since February 2021 to provide services related to ACL’s IT environment.

StickmanCyber informed ACL that Quantum Group’s ransom note stated that it would 'post your data…' within 48 hours if its demands were not met, but then advised ACL that:

'…I don’t feel that this will happen and it is merely a scare tactic, however, to err on the side of caution I would suggest that you prepare a statement stating that there was a malware incident but no data has been exfiltrated nor lost and the incident is being controlled...'

StickmanCyber conducted an investigation of the cyberattack and provided ACL with an "Incident Summary Report" on 2 March 2022, which identified that a computer was infected.

On 15 March 2022, after its investigation had closed, StickmanCyber advised ACL that they did not consider that the cyberattack caused harm to any individual. By 21 March 2022, based on analysis provided by StickmanCyber, ACL had determined that the cyberattack was not an eligible data breach within the meaning of s 26WE of the Act.

However, it transpired that the investigation was inadequate for several reasons:

Limited Monitoring: the investigation only monitored 3 out of at least 127 computers that were subject to the ransomware deployed by the Quantum Group.
Lack of Comprehensive Investigation: StickmanCyber did not conduct any investigation into the Quantum Group and its attack traits to determine whether data was likely to have been exfiltrated.
Insufficient Firewall Log Review: the review was based on only one of the firewall logs, which was not accessed until approximately four hours after the ransom demand was first downloaded.
Limited Persistence Mechanism Investigation: StickmanCyber conducted only a limited investigation into whether the Quantum Group may have established mechanisms to stay connected to the Medlab IT Systems and its network.

On 16 June 2022, the Australian Cyber Security Centre (ACSC) notified ACL that 86 gigabytes of data exfiltrated by the Quantum Group had been published on the dark web. It later transpired that this data included the personal information of 223,000 individuals and included names, addresses, and contact details, sensitive health information such as medical records, test results, and other health-related data and credit card information and payment details.

ACL subsequently notified the Australian Information Commissioner on 10 July 2022 that there had been an eligible data breach. This was over four months after ACL became aware of the ransomware attack.

The outcome of Australian Information Commissioner v Australian Clinical Labs Limited [2025]

The court declared that ACL contravened:

section 13G(a) of the Act by failing to take reasonable steps to protect personal information from unauthorised access, modification, or disclosure. This breach occurred between 19 December 2021 and 15 July 2022, following ACL's acquisition of Medlab Pathology's assets (Personal Information Contraventions).
section 26WH(2) of the Act by failing to carry out a reasonable and expeditious assessment of whether the circumstances of the Medlab cyberattack amounted to an eligible data breach within 30 days of 2 March 2022 (Assessment Contraventions).
section 26WK(2) of the Act by failing to prepare and give a statement to the AIC as soon as practicable after forming the view by 16 June 2022 that there were reasonable grounds to believe that there had been an eligible data breach (Notification Contraventions).

ACL was ordered:

(a) to pay a civil penalty of $5,800,000 to the Commonwealth of Australia within 30 days. This penalty is comprised of:

(i) $4,200,000 for the Personal Information Contraventions.

(ii) $800,000 for the Assessment Contravention.

(iii) $800,000 for the Notification Contravention.

(b) pay a contribution of $400,000 towards the Commissioner’s costs in the proceeding.

Personal Information Contravention

APP 11.1 provides that:

If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.

The Court noted that what will be considered reasonable in the circumstances is an objective standard that will be given a broad construction. The factors to be considered in applying the standard include:

the sensitivity of the relevant personal information;
the potential harm to individuals if the information was accessed or disclosed;
the size and sophistication of the APP entity;
the cybersecurity environment in which the APP entity operates, and
any previous threats or cyberattacks made against the APP entity.

The Court also considered that the exercise in assessing what steps are reasonable in the circumstances under the APP 11 ought to be informed by judicial consideration of similar legislative requirements that import a "reasonable steps" obligation, including under various sections of the Corporations Act 2001 (Cth). Notably, the obligation to take "such steps as are reasonable in the circumstances" does not necessarily rise as high as taking all reasonable steps, or identifying and taking the optimal steps.

In the circumstances of this case, the Court considered that the following factors gave rise to a finding that ACL had not taken such steps as were reasonable in the circumstances to protect personal information from unauthorised access or disclosure:

the size and nature of the business of ACL;
the volume and sensitivity of the information;
the high cybersecurity risks facing ACL during the relevant period and the risk of harm to individuals if their health and other personal information held by ACL on the Medlab IT Systems was accessed and disclosed without authorisation;
the Medlab IT Systems deficiencies;
ACL’s failure to identify the Medlab IT Systems Deficiencies prior to their acquisition;
the delay in ACL identifying the Medlab IT Systems Deficiencies; and
the overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.

In respect of ACL's inadequate procedures to detect and respond to cyber incidents, the Court noted that ACL admitted that:

the ACL cyber incidents playbooks did not clearly define roles and responsibilities for incident response efforts, contained limited detail on containment processes that should be deployed in the event of a cyber incident or steps that ACL should take to mitigate exfiltration of data in the event of a cyber incident, and recommended steps for technologies that were not used within the Medlab IT Systems,
there was inadequate testing of incident management processes in the period between the acquisition of the Medlab IT Systems and the Medlab Cyberattack,
Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information and data held on those systems,
adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used,
there was no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers,
there were only limited communications plans,
the Medlab IT Team Leader had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training,
there was limited security monitoring capability because the firewall logs were only retained for one hour,
specific data recovery plans had not been developed, and
Medlab staff were not required to use multifactor identification to use the Medlab VPN.

The above matters serve as a useful checklist for companies to consider in the context of any privacy or cyber security audit in the wake of this decision, noting that they are likely to be cited as a baseline as to the expectation of what may constitute reasonable steps.

Approach to civil penalties

Section 13G of the Privacy Act sets out the civil penalty regime for serious interferences with privacy of an individual. An interference with privacy of an individual includes conduct that contravenes the APPs or fails to comply with relevant aspects of the Notifiable Data Breach Scheme.

The maximum penalty for a serious interference with the privacy of an individual that has occurred since 13 December 2022 is not more than the greater of:

(a) $50 million;

(b) if a Court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit; and

(c) if a Court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

However, at the time the contraventions in this matter occurred (prior to the 2022 amendments to the Privacy Act), the maximum civil penalty was prescribed as up to 2,000 penalty units and the value of a penalty unit was $222. Section 82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) provides that the pecuniary penalty for a body corporate must not be more than five times the pecuniary penalty specified for the civil penalty provision. Therefore, the maximum penalty that could be imposed under the penalty regime which was in force at the time of the contraventions, was $2.22 million per contravention (ie 2,000 penalty units × $222 × 5).

In relation to Personal Information Contraventions, the AIC and ACL agreed that each individual whose personal information was compromised was treated as a separate contravention of the Privacy Act. The Court therefore noted that the potential maximum penalty in relation to the incident was $495,060,000,000 (ie 223,000 contraventions × $2.22 Million).

In contrast, each of the Assessment Contravention and Notification Contravention amounted to a single contravention of the Act, hence the lower maximum penalties referred to for those contraventions.

The court's approach to applying the pecuniary penalty provisions in this case involved several key considerations:

Nature and Extent of Contraventions: The court assessed the seriousness of the contraventions by Australian Clinical Labs Limited (ACL), including the failure to protect personal information, the inadequate response to the cyberattack, and the failure to notify the Commissioner in a timely manner.
Extent of Harm: The court considered the potential harm caused by the contraventions, including the risk of financial harm, distress, psychological harm, and material inconvenience to the individuals whose personal information was compromised.
Deterrence: The court emphasized the importance of both specific and general deterrence. The penalty needed to be sufficient to deter ACL from future contraventions and to send a strong message to other entities about the importance of complying with privacy obligations.
Mitigating Factors: The court took into account several mitigating factors, including ACL's cooperation with the investigation, the steps taken to improve cybersecurity capabilities, the lack of prior breaches, and the absence of deliberate misconduct.
Agreed Penalty: The court recognized the importance of promoting predictability of outcomes in civil penalty proceedings. The agreed penalty of $5,800,000 was considered to fall within the permissible range of penalties and was accepted by the court.

Implications The case highlights several potential areas of risk for organisations.

Cybersecurity and data management

All APP entities must proactively and regularly review the systems, processes and technological measures that they have put in place to protect the personal information that is held in their organisation. This includes their business as usual practices, along with their data breach response plans.

This judgment provides some guidance as to what the Office of the Australian Information Commissioner (OAIC) and the court will regard as reasonable steps. Australian businesses must keep up to date with the developing cyber risk environment, and the specific risks associated with their particular industry in assessing whether their current systems, processes and technological measures are reasonable. There is not necessarily a one size fits all approach to compliance. Acquiring assets from a less sophisticated party will raise a real risk of non-compliance if it is not possible to immediately bring the new assets up to the appropriate cybersecurity standard.

In the context of a data breach, merely outsourcing responsibility for the management and investigation of a cyber incident to a third party is not sufficient for an entity to meet its obligations under the Act and will not provide coverage if there is a delay in identifying a notifiable data breach, and providing notice to the OAIC. In this case, the third-party provider, StickmanCyber, conducted a limited investigation that only monitored a small fraction of the affected systems and did not thoroughly investigate the threat actor's methods or the extent of data exfiltration. This inadequate investigation led to ACL's reliance on incomplete and potentially misleading information, which ultimately delayed the identification and notification of the data breach to the OAIC.

Organisations must implement appropriate internal processes and invest in their own competencies in this space, in addition to obtaining support from competent, independent advisors and experts as required. It is clear that to the extent the third-party provider's investigation and response to a cyber incident is inadequate, the organisation will be liable for contraventions of the Act that arise from that inadequate investigation.

This underscores the importance of organisations ensuring that they have the capability to adequately assess the quality of the services provided by third parties and having robust internal competence and incident response procedures in place to manage the process rather than solely relying on external providers. ACL's overreliance on StickmanCyber and its lack of proper incident management processes contributed to the failure to adequately protect personal information and respond effectively to the cyberattack.

Due Diligence, Pre-Completion and Post-Acquisition Steps

Despite ACL being aware of some of the potential cybersecurity risks associated with MedLab prior to acquisition, the risks were not addressed prior to completion, nor were they promptly addressed after completion.

This case also highlights the importance of conducting thorough due diligence when acquiring IT systems and personal information from third parties. Such diligence must go beyond a paper review and investigate whether a target entity has deployed robust cybersecurity measures and that they have proper incident management processes in place. If personnel are acquired from a third party, it is critical that they receive appropriate induction and training to ensure that they understand the new systems, processes and incident response frameworks that they are expected to comply with following acquisition.

If deficiencies or risks are identified during the diligence process, there are opportunities to address those matters prior to or immediately after completion and such remedial steps should be appropriately scoped and factored into the transaction.

Failure to do so can result in the acquiring company inheriting a substantial privacy risk, which, if realised, is likely to lead to significant penalties and reputational damage, that may not be adequately offset by a warranty and corresponding indemnity.

Data and privacy breaches, and the disputes and enforcement action that can follow, are becoming increasingly frequent, damaging and high profile.

Our team of intellectual property, privacy and dispute resolution experts are ready to support you in managing legal risks and responding to such incidents effectively.

Adapting to changing circumstances at pace, our experts manage risks, minimise uncertainty, guide you through dispute resolution processes, and help you to achieve optimal outcomes.