Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

By Thaw Thaw Htin Michelle Hankey William Bevan

15 December 2025

Australian Clinical Labs Ltd to pay $5.8m penalty for contraventions of the Privacy Act 1988 (Cth)

In a landmark case for privacy law, Australian Clinical Labs Ltd (ACL) has been ordered pay a $5.8 million penalty for contraventions of the Privacy Act 1988 (Cth) (Act) in addition to a $400,000 contribution towards the Australian Information Commissioner’s costs, in a Federal Court judgment handed down on 8 October 2025.¹

The proceedings against the major private pathology provider were noted by the Court to be the first civil penalty proceeding brought by the Commissioner in the history of the Act, indicating a shift in the treatment of compliance under the Act for serious breaches and interference with individuals’ privacy.

 

Overview of the proceedings

In December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (Medlab), a privately owned pathology business that operated in New South Wales and Queensland.

In January 2022, ACL established a committee to oversee and coordinate the integration of Medlab’s IT systems into ACL’s core IT environment by 30 June 2022.

In late February 2022, a threat actor known as the Quantum Group (QG) infiltrated the Medlab IT systems, exfiltrated approximately 86GB of data (including personal and sensitive health information of more than 223,000 individuals), and later published it on the dark web.

On 2 November 2023, the Commissioner commenced the first-ever civil penalty proceedings under the Act², seeking declarations that ACL had failed to: take reasonable steps to protect individuals’ personal information³; conduct a reasonable assessment of whether a cyberattack constituted an “eligible data breach”⁴; and notify the Commissioner as soon as practicable.⁵

The parties jointly relied on a statement of agreed facts and admissions. ACL consented to declarations and to an agreed penalty of $5.8 million.

 

Main legal issues

• APP 11.1 (Reasonable Steps): Whether ACL took “such steps as are reasonable in the circumstances” to protect personal information from “unauthorised access, modification or disclosure”.⁶
• s 26WH (Assessment Duty): Whether ACL, being aware that there were reasonable grounds to suspect that there may have been an eligible data breach, carried out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the unauthorised access amounted to an eligible data breach and take all reasonable steps to ensure that the assessment is completed within 30 days.⁷
• s 26WK (Notification Duty): Whether ACL notified the Commissioner “as soon as practicable” once there were reasonable grounds to believe an eligible data breach had occurred.⁸
• s 13G (Serious Interference With Privacy): Whether the breaches constituted “serious or repeated interferences” with privacy.⁹

 

The Court’s Reasoning

Reasonable Steps

The Court held that ACL breached APP 11.1, in particular having regard to the:¹⁰

(a) size and nature of the business of ACL;

(b) volume and sensitivity of the information;

(c) high cybersecurity risks facing ACL during Dec 2021 to Jul 2022 and the risk of harm to individuals if their health and other personal information held by ACL on the Medlab IT systems was accessed and disclosed without authorisation;

(d) Medlab IT systems’ cybersecurity deficiencies;

(e) ACL’s failure to identify the Medlab IT systems’ cybersecurity deficiencies, prior to its acquisition;

(f) delay in ACL identifying the Medlab IT systems’ cybersecurity deficiencies; and

(g) overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.

APP 11.1 provides that an objective standard is to be applied to determine the steps that are required to be undertaken and necessarily the scope of those steps must be informed by the circumstances. The Court stated the circumstances should be given a broad construction, and drew guidance from judicial consideration of the “reasonable steps” obligation in ss 961L, 963F and 994E(5) of the Corporations Act 2011 (Cth).¹¹

The Court was also satisfied that ACL’s breach of APP 11.1 constituted an interference with the privacy of more than 223,000 individuals whose personal information ACL held on the Medlab IT system, treating each affected individual as a separate “serious interference” for the purposes of s 13G,¹² consistent with the Act’s object of protecting individual privacy.¹³

 

Assessment Duty

On s 26WH, the Court held that ACL’s subjective knowledge or awareness by 2 March 2022 was sufficient to require ACL to carry out a reasonable and expeditious assessment within 30 days. The assessment carried out by ACL’s third-party cybersecurity service provider which was relied upon by ACL was inadequate (including due to limited monitoring and minimal threat actor profiling). The Court was persuaded the contravention was serious (for the purposes of s 13G of the Act), particularly given the:

• sensitivity and volume of the personal information;
• high cybersecurity risks facing ACL during the period from Dec 2021 to Jul 2022; and
• delay, which impacted on the Commissioner’s ability to perform her statutory function of monitoring ACL’s notification to individuals whose personal information may have been compromised.¹⁴

 

Notification Duty

On s 26WK, the Court held that ACL had reasonable grounds to believe that there had been an eligible data breach by at least 16 June 2022 and had an obligation to report the Medlab cyber-attack to the Commissioner as soon as practicable thereafter. ACL notified the Commissioner on 10 July 2022, which the Court held contravened s 26WK of the Act, noting that the information required to be included in a notification “is not particularly onerous” and “is intended to facilitate the provision of the notification as “soon as practicable””. The Court was persuaded the contravention was serious (for the purposes of s 13G of the Act), for reasons similar to those stated in respect of s 26WH.¹⁵

 

Conclusion

The Court elucidated that the declarations of contravention of the Act ought to be made, due to the following key considerations:¹⁶

• The declarations assist APP entities in understanding the scope and extent of their obligations to protect sensitive private information from unauthorised access;
• The Commissioner, as a regulator, has a real interest in raising the questions, and there is a public interest in judicial guidance being provided to APP entities as to the scope and nature of their responsibilities under the Act to protect, and have in place appropriate systems and procedures to protect personal information of individuals; and
• The declarations will provide a public indication of the seriousness with which the Court views the contraventions by ACL of its obligations to protect personal information of individuals from unauthorised access, vindicate the Commissioner’s claims that the conduct of ACL was unsatisfactory, and deter other APP entities from contravening the Act.

The decision underscores that APP entities must maintain robust, internally capable cybersecurity frameworks, promptly assess suspected data breaches, and notify the regulator without delay, whilst remaining alive to their obligations under the Act.

The decision may further indicate an emerging appetite to pursue civil penalty enforcement actions for serious contraventions of the Act, in an increasingly fraught digital landscape.

If you have any questions relating to this article or your obligations under the Privacy Act, please contact Thaw Thaw Htin (Principal), Michelle Hankey (Senior Associate) or Will Bevan (Solicitor).

 

1. Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (‘ACL (No 2)’).
2. Privacy Act 1988 (Cth) (‘Act’) s 13 G.
3. In contravention of Australian Privacy Principle (‘APP’) 11.1 (Act, Schedule 1).
4. In contravention of s 26WH(2) of the Act. “Eligible data breach” is defined in Division 2, Part IIIC of the Act.
5. In contravention of s 26WK(2) of the Act.
6. ACL (No 2) at [47]-[49].
7. Ibid [70]-[71].
8. Ibid [82]-[83].
9. Ibid [40]-[46].
10. Ibid [52].
11. Ibid [50]-[51].
12. Ibid [54]-[58].
13. Ibid [60]-[62], s 2A of the Act.
14. Ibid [74]-[80].
15. Ibid [86]-[92].
16. Ibid [99]-[104].

Disclaimer: The information published in this article is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.