Australian Clinical Labs (ACL) has reached an agreement with the Australian Information Commissioner to pay $A5.8 million in penalties over a 2022 cyberattack on Medlab Pathology.

The settlement, which requires Federal Court approval, resolves civil penalty proceedings launched in November 2023. ACL will also contribute $A400,000 towards the Commissioner's legal costs.

The cyberattack occurred in February 2022, approximately nine weeks after ACL acquired the Medlab business. The breach impacted Medlab customers and employees, though ACL's own data and IT systems remained unaffected.

Under the proposed agreement, ACL and the AIC filed a Statement of Agreed Facts and Admissions acknowledging contraventions of the Privacy Act 1988. The Federal Court has reserved its judgment on the settlement.

Following the acquisition, Medlab's IT infrastructure has since been integrated into ACL's cybersecurity framework.

ACL stated the settlement would have no material impact on ongoing operations or financial position beyond the agreed penalty amount.

According to a statement from the firm, “ACL would like to again apologise to the Medlab customers and employees that were impacted as a result of this Cyberattack. While the Medlab Cyberattack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance and continuously improving our cybersecurity systems and controls.

“This resolution allows ACL to move forward with certainty and focus on our strategic objectives and continued delivery of high-quality pathology service to our patients and vale to shareholders.”