Significant penalty ordered by Federal Court in ACL cyber breach

24 October 2025

Kelly Matheson
Partner
Sparke Helmore Lawyers

Kelly Matheson
Partner
Sparke Helmore Lawyers
t: +61 2 6263 6309

Kelly joined Sparke Helmore in 2024 bringing eight years’ experience as a government lawyer specialising in privacy and secrecy law. Her expertise lies in working on complex digital projects supporting her clients to deliver solutions which place privacy at the centre.

Jason Kwan
Partner
Sparke Helmore Lawyers

Jason Kwan
Partner
Sparke Helmore Lawyers
t: +61 3 9291 2376

Jason is a senior technology lawyer with over 15 years’ experience advising clients in the information technology space, including in relation to information technology procurement, data, privacy, digital infrastructure, telecommunications and information security related issues.

Australian Information Commissioner v Australian Clinical Labs Limited (No2) [2025] FCA 1224

The Federal Court of Australia recently ordered Australian Clinical Labs (ACL) to pay a $5.8 million penalty in connection with a cyber breach that compromised the personal information of 223,000 customers. These are the first civil penalties ordered under the Privacy Act 1988 (Cth) (the Privacy Act). The Court found that ACL failed to comply with a number of its obligations in contravention of the Privacy Act.

Background

ACL provides pathology services to hospitals. In the course of providing these services, ACL collects and holds the personal and sensitive information, including health information, of patients in order to conduct testing and otherwise carry on its business.

Around February, Medlab IT Systems (Medlab), a division of ACL’s business, was subject to a cyberattack and subsequent data breach. This resulted in the personal and sensitive health information of more than 223,000 individuals being stolen and published on the dark web.

On 2 November 2023, the Australian Information Commissioner commenced proceedings seeking declarations that ACL had contravened s 13G of the Privacy Act by failing to:

take reasonable steps to protect individuals’ personal information that it held over the period from 26 May 2021 to 29 September 2022 in contravention of Australian Privacy Principle (APP) 11.1(b), and
conduct a reasonable assessment of whether the Medlab cyberattack constituted an ’eligible data breach’ as defined in the Act, and then failing to notify the Australian Information Commissioner as soon as practicable, in contravention of ss 26WH(2) and 26WK(2) of the Privacy Act.

Outcome

On 8 October 2025, the Federal Court of Australia handed down its decision, ordering that ACL pay a total of $5.8 million in civil penalties. The Court found that ACL had failed to take a number of reasonable steps to comply with its obligations under APP 11, including the following:

identifying and addressing cybersecurity vulnerabilities in IT systems (e.g. implementing antivirus software, strong authentication measures and file encryption)
having adequate procedures to detect and respond to cyber incidents internally, rather than over-relying on third-party providers
developing and testing clear incident response playbooks with defined roles and responsibilities
implementing data loss prevention tools to detect and prevent theft of personal information
implementing application whitelisting to prevent unauthorised applications from running
ensuring staff involved in incident response had appropriate training and cybersecurity backgrounds
maintaining security monitoring capabilities, including longer retention of firewall logs
developing specific data recovery plans, and
requiring staff to use multifactor authentication for VPN access.

The total penalty comprises:

a penalty of $4.2 million for failing to establish adequate cybersecurity controls over the personal information of individuals that ACL held on Medlab servers in contravention of Australian Privacy Principle 11.1(b)
a penalty of $800,000 for failing to take reasonable steps, within 30 days of the cyberattack, to ensure it carried out a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the cyberattack amounted to an ’eligible data breach’ within the meaning of s 26WE of the Privacy Act, in contravention of s 26WH(2), and
a penalty of $800,000 failing to prepare and give the Australian Information Commissioner a statement concerning the cyberattack as soon as practicable outlining the matters set out in s 26WK(3) of the Privacy Act, in contravention of s 26WK(2).

In settling on the final penalty figures, the Federal Court of Australia weighed the following factors:

Ultimately, the Federal Court of Australia concluded that the aggregate penalty of $5.8 million was significant enough to achieve specific deterrence for ACL, and general deterrence for other participants of the Australian healthcare system against similar contraventions of the Privacy Act.

ACL is also required to pay a contribution of $400,000 to the Australian Information Commissioner’s legal costs in the proceeding. A very expensive lesson to learn and one which could have been avoided by undertaking a privacy impact assessment to identify gaps in privacy compliance.

Speak to us at Sparke Helmore about how we can assist your business identify privacy compliance gaps and recommend mitigations strategies to ensure compliance with your obligations under the Privacy Act.

30-09-2025 | Sparke Bytes - September 2025

05-09-2025 | Thinking of getting legal advice from an AI assistant? Think again.

25-06-2025 | Sparke Bytes - June 2025

20-03-2025 | Sparke Bytes - March 2025

11-12-2024 | Sparke Bytes - December 2024

03-12-2024 | Changes to AICD's guidance on AI

Media room