Private pathology giant Australian Clinical Labs has agreed to pay $5.8 million over a data breach in early 2022, in what would be the first civil penalty to be handed down for breaches of the Privacy Act.
Australian Clinical Labs (ACL), a private provider of pathology services around the country, and the Office of the Australian Information Commissioner (OAIC) reached an agreement earlier this week to resolve civil penalty proceedings in the Federal Court which began in late 2023.
The two parties have filed a statement of agreed facts and admissions, and joint submissions with the Federal Court, proposing that ACL pay $5.8 million for contraventions of the Privacy Act, and $400,000 to OAIC for its legal costs.
“This resolution allows ACL to move forward with certainty and focus on our strategic objectives and continued delivery of high-quality pathology services to our patients and value to shareholders,” an ACL statement said.
“ACL would like to again apologise to the Medlab customers and employees that were impacted as a result of this cyberattack.
“While the Medlab cyberattack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance and continuously improving our cybersecurity systems and controls.”
The agreement is still subject to Federal Court approval, with the court reserving its judgement earlier this week.
The 2022 cyberattack
The court action relates to a cyberattack on Medlab in February 2022, which had been acquired by ACL in December 2021, that impacted an estimated 223,000 Australians.
Some of the data obtained as part of the cyberattack related to health, along with personal details and credit and Medicare numbers, which were eventually posted on the dark web.
OAIC began the Federal Court proceedings in late 2023, alleging that from May 2021 to September 2022, ACL “seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act”.
Doing so left the company vulnerable to cyberattack, the privacy watchdog claimed.
OAIC also alleged that following the attack, ACL failed to carry out a reasonable assessment of whether it constituted a data breach and failed to notify it as soon as practicable.
The company first became aware of unauthorised third-party access to the Medlab server in February 2023, but a review found that no information had been compromised.
But a month later, the Australian Cyber Security Centre (ACSC) informed the company that it may have been the victim of a ransomware incident, with ACL again replying that it did not believe this to be the case.
In June 2022, the ACL was again approached by the ACSC, which informed the company that the information compromised through the cyberattack had been posted on the dark web.
It was later revealed that the Quantum ransomware group was behind the attack, with 86GB of data obtained.
Civil action over data breaches
Healthcare companies and providers such as ACL have become increasingly common targets of cyberattackers, and the sector is now among the most impacted by data breaches.
OAIC has also launched civil penalty proceedings in relation to two other significant data breaches in 2022.
In August this year, the privacy office launched proceedings against Optus over the 2022 data breach, with 2.1 million people at a high risk of identity theft after their licence and passport details were compromised in the attack.
OAIC has alleged that Optus “did not take reasonable steps” to protect the data of its 9.5 million customers.
It has also launched civil proceedings in the Federal Court against Medibank over the 2022 cyberattack which saw highly sensitive personal information of 9.7 million individuals compromised and eventually posted on the dark web after a ransom payment was refused.
This hack has cost Medibank about $125 million, before potential civil penalties and an ongoing customer class action.
