Federal Court hands down first civil penalty for breach of Privacy Act: Australian Information Commissioner v Australian Clinical Labs Limited

In a landmark decision the Federal Court has issued its first judgment ordering the payment of civil penalties imposed under the Privacy Act 1988 (Cth) (the Act), following proceedings initiated by the Office of the Australian Information Commissioner (OAIC) against Australian Clinical Labs Limited (ACL).

On 8 October 2025, ACL was ordered to pay a civil penalty of $5.8 million for multiple contraventions of the Act arising from a significant data breach involving the personal information of over 223,000 individuals.

The judgment highlights the factors the Court will consider when evaluating whether an entity has complied with APP 11, mandatory breach reporting requirements and what the Court determines as being ‘reasonable steps’ to protect personal information from unauthorised access.

Background

ACL acquired Medlab Pathology Pty Ltd in December 2021. In February 2022, a cyberattack by the Quantum Group led to the exfiltration and publication of sensitive health data on the dark web. The breach exposed serious deficiencies in ACL’s cybersecurity posture, particularly in its handling of legacy systems inherited from Medlab.

Inadequate procedures to detect and respond to a cyber incident

In considering ACLs inadequate procedures to detect and respond to a cyber incident ACL admitted:

1. Cyber incidents playbooks did not clearly define roles and responsibilities for incident response efforts,
2. There was inadequate testing of incident management processes in the period between the acquisition of the Medlab IT Systems and the Medlab cyberattack,
3. Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information and data held on those systems,
4. Adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used,
5. The Medlab IT Team Leader had not seen, used, or received training on the cyber playbooks provided by ACL and had no formal cybersecurity background or incident response training,
6. There was limited security monitoring capability because the firewall logs were only retained for one hour,
7. Specific data recovery plans had not been developed,
8. Medlab staff were not required to use multifactor identification to use the Medlab VPN.

What are reasonable steps to protect personal information?

Justice Halley’s reasoning provides important guidance on what constitutes “reasonable steps” under Australian Privacy Principle 11.1(b):

• ACL did not implement adequate cybersecurity controls on Medlab’s legacy IT systems post-acquisition.
• ACL’s failure to understand and secure inherited systems was a key factor in the breach.
• Reasonable steps were interpreted to include:
  • Conducting robust cybersecurity due diligence during M&A activity.
  • Ensuring technical integration and risk mitigation for legacy systems.
  • Maintaining tested incident response plans.
• The judgment emphasised that reliance on third-party service providers does not absolve an entity of its obligations under the Privacy Act¹

His Honour found that the overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents was not reasonable.

Was the contravention serious?

Section 13G(a) of the Act stipulates that an entity’s conduct represents a contravention if that conduct is a serious interference with the privacy of an individual.

The court was satisfied that ACLs conduct met the “serious” threshold, particularly having regard to:

1. the nature and volume of the personal information extracted, which included sensitive health information held on the Medlab IT Systems,
2. the extent of the IT System Deficiencies,
3. the Cyberattack Response Deficiencies, and
4. ACL’s reliance on a third party cybersecurity services provider, all of which significantly heightened the risk that the personal information would be exposed to unauthorised access.

The Court ordered the following penalties be paid within 30 days:

• $4.2 million for failing to take reasonable steps to protect personal information (APP 11.1)
• $800,000 for failing to assess whether an eligible data breach had occurred (s 26WH(2))
• $800,000 for failing to notify the Commissioner and affected individuals (s 26WK(2))

Mitigating factors

Justice Halley considered several mitigating factors in determining the penalty including:

• ACL’s cooperation with the OAIC investigation and that it was ACLs first contravention of the Act;
• Admission of liability and public apologies by the CEO; and
• Commencement of a program of works to uplift the company’s cybersecurity capabilities.

Implications

This decision sets a precedent for future enforcement actions under the Privacy Act. It signals the OAIC’s increased willingness to pursue civil penalties and provides a clear judicial interpretation of the ‘reasonable steps’ standard. Organisations should review their privacy and cybersecurity frameworks, especially in the context of acquisitions and legacy system integration.

The decision provides a checklist for entities to consider their readiness and maturity to detect and respond to a cyber incident. Any audit undertaken by entities should consider the matters discussed above.

The decision also informs the considerations given when setting an adequate limit of liability for cyber insurance coverage whereby the policy typically covers:

1. Incident response costs
2. Network rectification
3. Public relations costs
4. Legal defence costs
5. Fines and/or penalties

The Court’s judgment can be read in full here.

1 https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2025/2025fca1224.