Australia: Australian Information Commissioner and Australian Clinical Labs Limited filed statements of agreed facts in lawsuit concerning data breach

On 17 September 2025, the Australian Information Commissioner and Australian Clinical Labs Limited (ACL) lodged a statement of agreed facts in the Federal Court of Australia, confirming agreement on the company’s contraventions of the Privacy Act 1988. The agreement concerns ACL’s handling of a February 2022 ransomware attack on Medlab Pathology, which resulted in the exfiltration of 86 gigabytes of sensitive personal, health, and financial information affecting more than 223’000 individuals. ACL admitted that it failed to take reasonable steps to secure the data in breach of Australian Privacy Principle 11.1(b), failed to carry out a timely and reasonable assessment of the incident under section 26WH (2), and delayed notification of the Commissioner under section 26WK (2). The parties agreed that these acts amounted to serious interferences with privacy under section 13G of the Act, and the Federal Court will determine the pecuniary penalties to be imposed.