Lavan is proud to be shortlisted for the Chambers Asia-Pacific and Greater China Region Honours 2026 'Pro Bono Outstanding Firm' Award. Learn more
Get in touch
Lavan Homepage

In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, the Federal Court imposed the first civil penalties under the Privacy Act 1988 (Cth). The decision is a significant milestone in the evolution of Australia’s privacy-law landscape, confirming the Court’s readiness to impose substantial financial consequences for serious breaches.

Australian Clinical Labs Limited (“ACL”) was one of the largest private hospital pathology businesses in Australia. As a part of its business, ACL collects and holds individual patient’s personal and sensitive information, including health information, for the purposes of providing test results and issuing invoices.1

On 19 December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd. From the date of acquisition, ACL owned and controlled all of Medlab’s IT Systems.2

Shortly after, on 25 February 2022 a group known as the Quantum Group initiated a cyberattack against the Medlab IT Systems (Medlab Cyberattack). This resulted in 86 gigabytes of data, including the personal and sensitive health information of more than 223,000 individuals, being exfiltrated and subsequently published on the dark web.3

ACL’s response to the Medlab Cyberattack was initially handled by its third-party cyber security provider StickmanCyber who after only a few weeks of investigating advised ACL that no data had been exfiltrated. Only for the data to later be discovered on the dark web.

On 2 November 2023, the Australian Information Commissioner (Commissioner) commenced proceedings seeking declarations that ACL had contravened s 13G(a) of the Privacy Act 1988 (Cth) (Act) by failing to:

(a) take reasonable steps to protect individuals’ personal information that it held over the period from 26 May 2021 to 29 September 2022, in breach of Australian Privacy Principle (APP) 11.1(b), and

(b) conduct a reasonable assessment of whether the Medlab Cyberattack constituted an “eligible data breach” and then failing to notify the Commissioner as soon as practicable, in contravention of s 26WH(2) and s 26WK(2) of the Act.

ACL consented to the making of the declarations and the imposition of the aggregate civil penalty sought by the Commissioner. However, the Court found it necessary to determine whether the declarations and pecuniary penalty orders are appropriate and should be made.

In doing so, the Court considered a comprehensive statement of agreed facts and admissions (SAFA) jointly relied upon by the parties.

Ultimately, declarations of contravention under section 13G(a) were be made and ACL was ordered to pay $5.8 million in civil penalties and $400,000 towards the Commissioner’s costs. 4

Contraventions Of Section 13G Of The Act

Contraventions of section 13G of the Act by Reason of Breach of APP 11.1(b)

Section 13G of the Act is a civil penalty provision attracting 2,000 penalty units and prohibits an entity from engaging in or repeated interferences with an individual’s privacy.5

The Court said that the extent an entity engages in an act or practice that breaches an Australian Privacy Principle (APP) in relation to personal information about an individual, that act or practice is an interference with the privacy of that individual under section 13(1)(a) of the Act. If that interference is serious, then the entity also contravenes section 13G(a).

The relevant APP in the proceedings was APP 11.1(b) which requires entities holding personal information to take “such steps as are reasonable in the circumstances” to protect personal information from “unauthorised access, modification or disclosure”.6

The Court was satisfied that ACL failed to take reasonable steps to protect personal information held on the Medlab IT Systems from “unauthorised access” and “unauthorised disclosure”. In particular the Court had regard to:7

(a) the size and nature of the business of ACL;

(b) the volume and sensitivity of the information;

(c) the high cybersecurity risks facing ACL during the Relevant Period and the risk of harm to individuals if their health and other personal information held by ACL on the Medlab IT Systems was accessed and disclosed without authorisation,

(d) the Medlab IT Systems Deficiencies,

(e) ACL’s failure to identify the Medlab IT Systems Deficiencies prior to their acquisition,

(f) the delay in ACL identifying the Medlab IT Systems Deficiencies, and

(g) the overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.

The Court also acknowledged that ACL’s ability to detect and respond by itself to cyber incidents was deficient because8:

(a) the ACL cyber incidents playbooks did not clearly define roles and responsibilities for incident response efforts, contained limited detail on containment processes that should be deployed in the event of a cyber incident or steps that ACL should take to mitigate exfiltration of data in the event of a cyber incident, and recommended steps for technologies that were not used within the Medlab IT Systems,

(b) there was inadequate testing of incident management processes in the period between the acquisition of the Medlab IT Systems and the Medlab Cyberattack,

(c) Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information and data held on those systems,

(d) adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used,

(e) there was no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers,

(f) there were only limited communications plans,

(g) the Medlab IT Team Leader had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training,

(h) there was limited security monitoring capability because the firewall logs were only retained for one hour,

(i) specific data recovery plans had not been developed, and

(j) Medlab staff were not required to use multifactor identification to use the Medlab VPN (together, Medlab Cyberattack Response Deficiencies).

For the above reasons the Court was satisfied that:

  • ACL breached APP 11.1(b) of the Act, and, by reason of s 13(1)(a) of the Act, that breach constituted an interference with the privacy of more than 223,000 individuals whose personal information ACL held on the Medlab IT Systems;9
  • the breaches of privacy of those 223,000 individuals were serious for the purposes of s 13G(a) of the Act; and10
  • that ACL engaged in a separate contravention of s 13G(a) in respect of each of the more than 223,000 individuals.11

Contravention of s 13G of the Act by Reason of Contravention of section 26WH(2)

Section 26WH requires entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and take all reasonable attempts to ensure the assessment is completed within 30 days.12

By virtue of section 13(4A) a contravention of section 26WH(2) constitutes “an interference with the privacy of an individual” and, if serious, triggers section 13G(a).13

It was sufficient to establish that by 2 March 2022, ACL had knowledge or suspicion of unauthorised access likely to cause serious harm but failed to conduct a reasonable assessment.14  The assessment undertaken by StickmanCyber was inadequate for a number of reasons and as such, it was unreasonable for ACL to have relied upon it.15

The Court found that ACL’s contravention of section 26WH(2) was serious due to sensitivity and volume of data, cybersecurity risks, and delayed notification to the Commissioner.16  It also amounted to a single contravention of section 13G(a).17

Contravention of s 13G of the Act by Reason of Contravention of s 26WK(2)

Section 26WK requires that where an entity is aware of an eligible data breach it must as soon as practicable prepare a statement and provide a statement to the Commissioner.18

By virtue of section 13(4A) a contravention of section 26WK(2) constitutes “an interference with the privacy of an individual” and, if serious, triggers section 13G(a).19

ACL had reasonable grounds to believe the Medlab Cyberattack constituted an eligible data breach by 16 June 2022 when it was made aware of the publishing of the data on the dark web but did not provide a statement until 10 July 2022.20

The contravention of section 26WK(2) was serious due to the sensitive nature and volume of the data, high cybersecurity risks, and the delay in providing the notification to the Commissioner. 21  It also amounted to a single contravention of section 13G(a).

Lavan Note

This decision reinforces the notion that individuals are now empowered to take legal action for serious invasions of privacy, and regulators are equipped with enforcement tools to deal with these breaches.

Businesses should take proactive action to ensure that the systems they have in place are adequate to avoid the occurrence of these data breach events and that, when they do occur, they are equipped to sufficiently respond within a reasonable timeframe. It is not enough to place all trust in third party providers.

Further, in takeover situations, proper due diligence for cyber risk is now a factor to consider.

Lavan has previously written about the new cyber security regulations and reforms to Australian Privacy Laws strengthening the current Australian regime. This information can be found in Lavan publication titled Reforms to Australian Privacy Law: What Australian Business Need to Know.

For any advice on the above decision, Australian privacy law or your privacy policy and systems, please contact Iain Freeman, Partner in Lavan’s Dispute Resolution and Investigations team.

Thank you to Jonathan Tartaglia, Solicitor, for their valuable research and assistance with this article.


Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Footnotes

  1. Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224, 1..
  2. Ibid 2.
  3. Ibid 3-4.
  4. Ibid 139-141.
  5. Ibid 40.
  6. Ibid 49–50.
  7. Ibid 52.
  8. Ibid 53.
  9. Ibid 54.
  10. Ibid 55-58.
  11. Ibid 59-60.
  12. Ibid 69-71.
  13. Ibid 72-73.
  14. Ibid 74-76.
  15. Ibid 77-78.
  16. Ibid 79–80.
  17. Ibid 80.
  18. Ibid 81–84.
  19. Ibid 84–85.
  20. Ibid 86–90.
  21. Ibid 86–90.
Authors
Iain Freeman
Partner

Related Publications

10 Mar 2026 Cyber, Privacy & Data Protection

The cost of failure to discharge privacy and cyber governance is real

Iain Freeman
Iain Freeman Partner
The cost of failure to discharge privacy and cyber governance is real
4 Dec 2025 Cyber, Privacy & Data Protection

Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2

Iain Freeman
Iain Freeman Partner
Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2
19 Sep 2025 Cyber, Privacy & Data Protection

Turbulent times: Qantas responds to cyber attack with injunction against persons unknown

Iain Freeman
Iain Freeman Partner
Turbulent times: Qantas responds to cyber attack with injunction against persons unknown

Stay up to date with Lavan

Subscribe to Publications or News

"*" indicates required fields

Publications of Interest*
Select publications of interest
Fields marked with * are required.
Back to top