Australia: Australian Information Commissioner filed lawsuit against Australian Clinical Labs Limited over alleged privacy violations

On 3 November 2023, the Office of the Australian Information Commissioner (OAIC) commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL). The proceedings follow a Commissioner-initiated investigation into a February 2022 data breach at ACL’s Medlab Pathology business, which was reported to the OAIC in July 2022. The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect health and financial information in breach of the Privacy Act 1988. The Commissioner further alleges that ACL failed to conduct a timely assessment of the breach and to notify the OAIC as required under Part IIIC of the Act. The case concerns ACL’s collection and storage of personal and sensitive health information of patients, including Medicare numbers and credit card data. The Federal Court may impose civil penalties of up to AUD 2.22 million per contravention under the applicable provisions.