Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Australian Clinical Labs (ACL) has become the first organisation to be ordered to pay civil penalties under the Privacy Act, after the Federal Court ordered the company to pay $5.8 in relation to a 2022 data breach.
In February 2022, Medlab Pathology, which had been recently acquired by ACL, suffered a data breach exposing the personal data of 223,000 Australian’s, including credit card details and passport information.
However, the breach was not properly reported to the Office of the Australian Information Commissioner (OAIC) until July.
In 2023, the OAIC then ruled that ACL would need to face court over claims that its data protection methods were insufficient.
“ACL delayed notifying my office that personal and sensitive information had been published on the dark web,” OAIC commissioner at the time Angelene Falk said in a statement reported by The Guardian.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”
Now, the Federal Court this week has ordered ACL to pay $5.8 million in civil penalties for the 2022 data breach, marking the first time civil penalties have been ordered under the Privacy Act 1988 (Cth).
The penalty is made up of a $4.2 million fine for a “failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems,” an $800,000 fine for “ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred,” and an $800,000 fine for “ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach.”
Australian Information Commissioner Elizabeth Tydd said that the civil penalty orders “provide an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold.
“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately.
“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act".
ACL had already agreed to pay the $5.8 million penalty in an agreement with the OAIC, however the agreement was still subject to Federal Court approval. It also proposed a $400,000 contribution to cover the commissioner’s legal costs.
“ACL would like to again apologise to the Medlab customers and employees [who] were impacted as a result of this cyber attack,” ACL said in a 29 September statement.
“While the Medlab cyber attack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance, and continuously improving our cyber security systems and controls.
“This resolution allows ACL to move forward with certainty and focus on our strategic objectives and continued delivery of high-quality pathology service to our patients and value to shareholders.”
ACL said it does not expect its penalty to have any material impact on its business going forward.
Be the first to hear the latest developments in the cyber industry.
