Australia: Federal Court of Australia issued ruling against Australian Clinical Labs Limited with fine of AUD 5.8 million over data breach

On 8 October 2025, the Federal Court of Australia ordered Australian Clinical Labs Limited (ACL), to pay a civil penalty of AUD 5.8 million for contraventions of the Privacy Act 1988. The Court found that ACL failed to take reasonable steps to protect the personal and sensitive health information of more than 223,000 individuals held on computer systems acquired from Medlab Pathology in December 2021. The systems had cybersecurity deficiencies, including outdated antivirus software, weak authentication measures, and no file encryption. The Court also found that in February 2022, the Quantum Group executed a cyberattack that exfiltrated 86 gigabytes of data, including passport numbers, health information, and financial details, which was subsequently published on the dark web, yet ACL failed to conduct a reasonable and expeditious assessment within 30 days to determine whether an "eligible data breach" had occurred. Despite forming the view by 16 June 2022 that an eligible data breach had occurred, ACL delayed notifying the Commissioner until 10 July 2022, approximately 24 days later than was practicable. The penalty of AUD 5.8 million and a costs contribution of AUD 400,000 were ordered to be paid within 30 days.