Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
ACL will contribute $400,000 towards the Australian Information Commissioner’s legal costs.
Today (29 September), the Australian Clinical Labs (ACL) said it has reached an agreement with the Australian Information Commissioner regarding a 2022 data breach of Medlab Pathology.
Medlab Pathology was acquired by ACL in December 2021, with the cyber attack that led to the breach occurring in February 2022, and ACL first reported the scope of the incident in October 2022.
At the time, ACL said it did not have any evidence that the data had been taken advantage of, but the Australian Cyber Security Centre (ACSC) later contacted the company, informing them that it was aware that the data had been published on the dark web.
Approximately 223,000 Australians were impacted by the breach, with varying combinations of health data, personal details, and credit and Medicare card numbers exposed. ACL said at the time that it had decommissioned the compromised server.
It was later revealed that the Quantum ransomware group was behind the attack and had stolen 86 gigabytes of data.
In November 2023, the Office of the Australian Information Commissioner (OAIC) began legal proceedings against ACL, contesting that it had failed to employ adequate safeguards to protect the sensitive data it held.
Now, ACL has said it is willing to resolve proceedings with a $5.8 million penalty, as well as proposing a contribution of $400,000 to cover the commissioner’s legal costs.
“ACL would like to again apologise to the Medlab customers and employees [who] were impacted as a result of this cyber attack,” ACL said in a 29 September statement.
“While the Medlab cyber attack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance, and continuously improving our cyber security systems and controls.
“This resolution allows ACL to move forward with certainty and focus on our strategic objectives and continued delivery of high-quality pathology service to our patients and value to shareholders.”
The agreement is still subject to approval by the Federal Court, which has said it is reserving judgment on the matter.
ACL said it does not expect its penalty agreement to have any material impact on its business going forward.
“The OAIC has jointly submitted a penalty with ACL and made submissions on that today,” a spokesperson for the commissioner told Cyber Daily.
“We now await the court’s judgment on this matter.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
