$5.8m in penalties, new guidance: Australian Information Commissioner v Australian Clinical Labs Limited (No 2)

Groundbreaking civil penalties were ordered in the Federal Court on 8 October 2025, in the matter of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (per Halley J). The penalties, facts and admissions had been agreed between the parties previously. This was the first civil penalty proceeding brought by the Australian Information Commissioner (Commissioner) in the history of the Privacy Act 1988 (Privacy Act).[i]

This judgment was also notable as the first judicial consideration of APP 11.1(b), which requires APP entities that hold ‘personal information’ to take such steps as are ‘reasonable in the circumstances’ to protect the information from ‘unauthorised access, modification or disclosure’. It applies s 13G (the civil penalty provision for serious breach of privacy) to an APP 11.1 cybersecurity failure, considering the scope of relevant circumstances and what may be sufficient to constitute ‘reasonable steps’ under the Privacy Act.

Factual background

Australian Clinical Labs Limited (ACL) is one of the largest private hospital pathology businesses in Australia. On 19 December 2021, ACL acquired the assets of the smaller Medlab Pathology Pty Ltd, planning to integrate the two companies’ IT systems over the following six months. Around 25 February 2022, the criminal Quantum Group initiated a cyberattack on the Medlab systems (the Medlab cyberattack), whereby approximately 86 gigabytes of data were exfiltrated. This data included personal and sensitive information of at least 223,000 individuals, and included passport numbers, health information and financial information.

When initial indications of a cyberattack became apparent within the company, followed by alerts from an expert external body, ACL opted to be guided by its established IT services provider, StickmanCyber (Stickman). The attackers made a ransom demand, and the exfiltrated data was subsequently published on the dark web. External legal assistance was not sought by ACL until the cyber incident had reached a late stage (June 2022) and the Commissioner was not notified of ACL’s reasonable belief that an eligible data breach had occurred until 10 July 2022. Further, though not the subject of these proceedings, it is also worth noting that ACL did not make an ASX announcement and apology until 27 October 2022.

Declarations and orders

The Court’s declarations addressed three main failings by ACL and were in the form sought by the Commissioner and agreed by ACL.

1. Breach of APP 11.1 – failure to take reasonable steps to protect personal information. The Court’s first declaration stated that between 19 December 2021 and 15 July 2022, in contravention of s 13G(a) of the Privacy Act, ‘…ACL did not have in place adequate cybersecurity controls, which meant that it did not take reasonable steps to protect the personal information of those individuals that ACL held on certain Medlab servers, from unauthorised access, modification or disclosure, in contravention of Australian Privacy Principle [APP]11.1(b)…’.

The judgment discussed in detail ACL’s cybersecurity control deficiencies, which included that:

• ACL did not identify relevant vulnerabilities in the Medlab IT Systems prior to its acquisition of the Medlab assets.[18]
• ACL was over-reliant on third-party service providers and failed to have in place adequate procedures to detect and respond by itself to cyber incidents. [52]
• the Medlab IT Team Leader who was initially put in charge of ACL’s response had received no training in how to respond to a cyberattack. [21]

What constituted reasonable steps under APP 11.1(b)? The Court took account of familiar considerations such as size and nature of the entity and volume and sensitivity of the information held. But it also stated that ‘breadth of the necessary inquiry into what might constitute “such steps as are reasonable in the circumstances” is informed by judicial consideration of other legislation that import a “reasonable steps” obligation, in particular, s 961L, s 963F and s 994E(5) of the Corporations Act 2001 (Cth)’ (Corporations Act). [51]

This guidance gives greater certainty for APP entities that in respect of APP 11.1 ‘reasonable steps’, the standard is objective, risk‑based and specific to its context, involving a holistic assessment involving an entity’s total circumstances including its suite of systems, policies and procedures.

2. Contravention of s 26WH(2) – failure to carry out a reasonable and expeditious assessment of suspected eligible data breach[ii]

The Court’s second declaration stated that, in contravention of s 13G(a) of the Privacy Act, within 30 days of 2 March 2022, in the relevant circumstances, ‘…ACL failed to take reasonable steps to ensure it carried out a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the circumstances of the cyberattack on the Medlab systems amounted to an eligible data breach within the meaning of s 26WE of the Privacy Act, in contravention of s 26WH(2) of the Privacy Act…’.

If an APP entity is aware that there are reasonable grounds to suspect (but not necessarily to believe) that there may have been an eligible data breach, it is subject to s 26WH. If s 26WH is engaged, then the APP entity must carry out a reasonable and prompt assessment of whether there are reasonable grounds to believe that the unauthorised access amounted to an ‘eligible data breach’, and take all reasonable steps to ensure that the assessment is completed within 30 days.

The Court determined that ACL had enough evidence of a potential cyber breach, including notifications from the Australian Cyber Security Centre (ACSC), that a reasonable person would not have been satisfied, despite Stickman’s advice, that there was no eligible data breach. This breach would likely have caused harm to many individuals. Since ACL knew that Stickman’s tests were very limited, the Court found it unreasonable for ACL to rely only on Stickman’s advice. The consequent delay in notifying the Commissioner was considered to have worsened the seriousness of the breach.

3. Contravention of s 26 WK(2) – failure to notify of data breach

The Court’s third declaration stated that,  ‘in contravention of s 13G(a) of the Privacy Act, having formed the view by at least 16 June 2022 that there were reasonable grounds to believe that there had been an eligible data breach in the circumstances of the Medlab Cyberattack, ACL failed to prepare and give to the … Commissioner, as soon as practicable, a statement concerning the Medlab Cyberattack outlining the matters set out in section 26WK(3) of the Privacy Act, in contravention of s 26WK(2) of the Privacy Act…’.

‘Practicable’ is not defined in the Privacy Act, but the Court observed that the information to be provided to the Commissioner to fulfil this reporting obligation is not particularly onerous, and AGL conceded that the information could have been provided within two or three days of 16 June rather than in the following month. Factors taken into account in considering this a serious breach included again that it resulted in delay to the Commissioner’s ability to advise and assist the large number of affected individuals.

Penalties and costs applied

The Court ordered ACL to pay the Commonwealth of Australia, within 30 days, a civil penalty of $5,800,000, comprised of:

(a)           $4,200,000 in respect of failing to protect personal information properly;

(b)          $800,000 in respect of delaying assessment of the suspected data breach; and

(c)           $800,000 in respect of delaying its notification to the OAIC).

ACL was also required to pay the Commissioner $400,000 toward her costs in the proceeding.

During the relevant period, s 13G carried a maximum of 2,000 penalty units per contravention, multiplied by five for bodies corporate. Reforms in 2022 introduced higher penalties. Importantly, note that the Court considered the personal information contraventions under s 13G(a) on a per person basis. His Honour accepted that each affected individual constituted a separate contravention for the APP 11.1 breach. While the Court did not here impose the huge theoretical maximum penalty for 223,000 affected individuals, in different circumstances in large breach matters, the Court’s per person approach will be significant in respect of assessment of both the ‘serious’ breach threshold and quantum of potential penalties.

Key takeaways

This decision underscores the importance of:

• Thorough M&A and cyber due diligence to identify risks before acquisition of targets, then to effectively remedy them after acquisition;
• Having a detailed and current data breach response plan identifying internal and external roles and responsibilities, and including key time lines;
• Understanding the Commissioner’s expectations of expeditious and reasonable investigation and notification of data breaches that may constitute serious interferences with privacy.

This proceeding also signals a new determination by the OAIC to achieve deterrence by pursuing civil penalties for data breaches and deficient responses.[iii] The OAIC has more civil penalty proceedings in train. As indicated above, effective from 13 December 2022, a higher penalty regime provides for maximum penalties of up to $50 million for serious breaches. The Privacy and Other Legislation Amendment Act 2024 (Cth) also introduced additional tiers of penalties including a mid-tier penalty for companies of up to $3.3 million for breaches that fall below the threshold of ‘serious’.

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.

[i] However, ASIC has previously made declarations and penalty and other orders arising from cyber breach and deficient responses, under the Corporations Act: see Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (per Rofe J). Here the defendant held an Australian Financial Services Licence with attendant obligations.

[ii] For more background on investigation and reporting issues see my previous Keynote ‘How golden is silence? Data breaches involving personal information’ posted by Keypoint Law 9 November 2022.

[iii] In bringing this proceeding and agreeing a high penalty, the OAIC has demonstrated its increased appetite to bite as well as bark, as compared with its ‘educative’ handling of earlier cyber breach incidents: see for example Re Uber Technologies Inc [2021] AICmr 34.