ACL taken to Court over 2022 data breach

The February 2022 data breach of Australian Clinical Labs’ (ACL) Medlab Pathology business has resulted in the Office of the Australian Information Commissioner (OAIC) taking an action in the Federal Court.

However, the company will not be subject to the much higher penalties of up to $A50 million enabled in the amended Privacy Act 2022, which only came into force after the ACL breach.

The OAIC was notified of the breach 5 months after it occurred, in July 2022. An investigation commenced in December 2022.

The Commissioner is alleging that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.

ACL will be defending the claim and asserts that its cybersecurity systems are robust. After more than 223,000 individual records were accessed in the data breach, including medical records, names, credit card numbers and Medicare numbers, ACL stated that the compromised Medlab server had been decommissioned and its broader systems and databases were not affected by the incident.

It also stated there was no evidence of any misuse of any of the information or any demand made of Medlab or ACL.

ACL generated revenue of $A995.6 million in the financial year ending June 2022.

The OAIC alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable.

“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” Australian Information Commissioner Angelene Falk said.

“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.

“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.

“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.

“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime,” said Commissioner Falk.