cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

OAIC alleges Australian Clinical Labs hack resulted from lacklustre security measures

The Office of the Australian Information Commissioner (OAIC) has alleged that leading pathology company Australian Clinical Labs suffered a major cyber attack as a result of “serious and systemic failures”.

user icon Daniel Croft
Thu, 30 Nov 2023
OAIC alleges Australian Clinical Labs hack resulted from lacklustre security measures
expand image

Australian Clinical Labs (ACL) parent company Medlab back in February 2022 announced that it had suffered a cyber attack at the hands of the Quantum hacking group, which stole 86 gigabytes worth of data belonging to over 200,000 people, which included health information, passport details, and credit card information (number, expiry and CVV).

Earlier this month, the OAIC commenced legal proceedings against Australian Clinical Labs, accusing it of a lack of appropriate security measures needed to protect its customers.

“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” said Australian information commissioner Angelene Falk.


“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.”

According to records, it was under four hours after a Medlab staffer noticed Quantum’s ransomware threat on a desktop PC; other devices in Brisbane and Sydney had already received the message. The devices were then encrypted.

Australian Clinical Labs also didn’t have a cyber security team despite holding sensitive information and having a generated revenue of just under $1 billion in the 2022 fiscal year.

The company did have an IT team leader who led the response to the attack alongside the company’s head of technical services and chief information officer, but none of them had any cyber security qualifications or experience bouncing back from a cyber attack.

Despite the IT team leader being provided with the company’s guidelines for dealing with ransomware and malware attacks, the leader had not been trained to follow the guidelines, and the OAIC said that these steps were not followed.

The OAIC added that it believes Australian Clinical Labs also failed to inform the OAIC as soon as practicable, as required under the Privacy Act.

It also allegedly failed to conduct a proper assessment of whether it was an eligible cyber attack, which, if classed as one, would require the OAIC to be informed of it.

“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach,” added Falk.

“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.

“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”

Under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the maximum penalty for the “serious and/or repeated interference with a privacy for a body corporate” is now either $50 million, three times the value of the benefit generated by the offending body, or 30 per cent of the adjusted turnover for the period if the value of the benefit cannot be calculated.

However, as the cyber incident occurred before these penalties were introduced, Australian Clinical Labs will potentially face old penalties, which was $2.2 million.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.