Federal Court Imposes $5.8 Million Penalty for Serious Privacy Act Breaches Following Cyberattack

The Federal Court of Australia has handed down a significant penalty of $5,800,000 after finding that a healthcare provider committed multiple serious breaches of the Privacy Act 1988

Read More
Youtube Linkedin X-twitter
Warlows is part of the 1% PLEDGE
Warlows are now members of HOPE NOW’s mission

Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

The Federal Court of Australia has handed down a significant penalty of $5,800,000 after finding that a healthcare provider committed multiple serious breaches of the Privacy Act 1988 (Cth) (Privacy Act) arising from a major cyberattack in early 2022. The decision underscores the strict obligations imposed on organisations that handle sensitive information and the serious consequences of failing to protect individuals’ privacy.

 

Key Findings

 

The Court concluded that the respondent committed serious interferences with the privacy of more than 223,000 individuals, contravening s 13G(a) of the Privacy Act. The contraventions included:

  • A breach of Australian Privacy Principle (APP) 11.1(b) for failing to take reasonable steps to protect personal and sensitive information on its IT systems from unauthorised access and disclosure.
  • A contravention of s 26WH(2) by failing to conduct a reasonable and expeditious assessment of whether reasonable grounds existed to believe that a February 2022 cyberattack constituted an eligible data breach.
  • A contravention of s 26WK(2) for unreasonably delaying notification to the Australian Information Commissioner regarding the eligible data breach.

The parties jointly proposed an aggregate civil penalty of $5.8 million, which the Court accepted as appropriate to promote both specific and general deterrence.

 

Jurisdiction

 

The proceeding was heard in the Federal Court of Australia.

 

Material Facts

 

The respondent operated healthcare services, including pathology services, and in late 2021 had acquired IT systems from another business. These systems stored a large volume of personal and sensitive information but suffered from significant cybersecurity deficiencies, including:

  • weak authentication protocols,
  • lack of data encryption, and
  • reliance on unsupported legacy systems.

On or shortly before 25 February 2022, a cyberattack compromised the respondent’s systems, resulting in the exfiltration and dark web publication of 86 GB of personal and sensitive data relating to more than 223,000 individuals.

Despite this, the respondent:

  • conducted inadequate investigations into the exfiltration,
  • relied disproportionately on external cybersecurity providers, and
  • failed to properly respond to signs that sensitive data had indeed been exfiltrated.

By 16 June 2022, the respondent had evidence confirming exfiltration. However, it did not notify the Australian Information Commissioner or affected individuals until 10 July 2022.

 

Applicable Law

 

The Court considered several legislative instruments, including:

  • Privacy Act 1988 (Cth) – ss 13G(a), 26WH(2), 26WK(2), and APP 11.1(b)
  • Privacy Amendment (Enhancing Privacy Protection) Bill 2012
  • Privacy Amendment (Notifiable Data Breaches) Bill 2016
  • Federal Court of Australia Act 1976 (Cth) s 21
  • Regulatory Powers (Standard Provisions) Act 2014 (Cth) Pt 4

Reasons for Judgment

 

The Court emphasised the seriousness of the respondent’s failures, noting:

  • The respondent did not implement adequate cybersecurity safeguards to protect highly sensitive information, in breach of APP 11.1(b).
  • It relied unreasonably on a limited third-party investigation and failed to conduct its own thorough and expeditious assessment as required under s 26WH(2).
  • It had reasonable grounds to suspect an eligible data breach but still failed to notify the Australian Information Commissioner “as soon as practicable,” contravening s 26WK(2).
  • The sensitivity of the compromised data – including health and financial information—and the systems’ vulnerabilities compounded the seriousness of the breaches.
  • The respondent’s delay in notification impeded timely regulatory oversight and guidance.

While the conduct was serious, the Court took into account mitigating factors such as the respondent’s cooperation, admission of liability, and subsequent remedial actions.

The agreed penalty of $5.8 million was held to fall within the appropriate range, sufficient to achieve deterrence without being excessive.

 

Decision

 

The Court made the following orders:

  • Declarations that the respondent had contravened s 13G(a) of the Privacy Act.
  • An order requiring the respondent to pay an aggregate pecuniary penalty of $5,800,000 for its contraventions.

 

Conclusion

 

This case marks a major moment in Australia’s privacy landscape. For the first time, a court has issued civil penalties under the Privacy Act 1988 (Cth) for failing to properly protect personal information during a significant data breach. As the first penalty of its kind, it shows that privacy breaches involving large amounts of sensitive information, particularly health data, are now being taken far more seriously. The $5.8 million penalty reflects the OAIC’s stronger stance on enforcement and serves as a clear warning to any organisation that handles sensitive data.

The decision also highlights a new level of accountability for privacy and cybersecurity management. Organisations must have strong governance and oversight in place from the outset, and cannot rely solely on external providers to manage security risks. This ruling reinforces the growing legal and financial consequences of poor privacy compliance and sets a clear expectation that all businesses maintain solid data protection and breach-response systems.

 

 

Post line left

Latest News

Post line right

You may also be interested in

Federal Court Imposes $5.8 Million Penalty for Serious Privacy Act Breaches Following Cyberattack

ACNC Releases Updated Guidance on Public Benevolent Institutions

County Court Releases New Commercial Law Division Practice Note PNCO 1-2025

When Defect Claims Meet Legal Reality: Lessons from Owners Corp v Devakon

A Turning Point for Building Liability: High Court Clarifies Duties Under the DBP Act (NSW)

Demystifying Conveyancing: A Clear Path to Property Ownership 

Our Legal Team

Behind our brilliant results are a team of talented and agile lawyers. Committed to legal excellence, our practitioners deliver balanced solutions to commercial issues. We bring together a wide range of legal expertise and experience to create the right result, in the right manner.

find out more

About

Our commitment to legal excellence, innovation and social justice means you benefit from legal advice of the highest quality. These key values form the basis of our firm’s perspective on every case we undertake. As a firm, it is our responsibility to provide ethical, efficient and results-driven services.
find out more

About

Our commitment to legal excellence, innovation and social justice means you benefit from legal advice of the highest quality. These key values form the basis of our firm’s perspective on every case we undertake. As a firm, it is our responsibility to provide ethical, efficient and results-driven services.
Find out more

Client Testimonials

Please contact us to arrange an initial consultation

Our expertise in our respective fields is widely acknowledged. Drawing upon our practical experience, we consistently produce the positive and reliable results our clients expect. We would love to stay connected with you and keep you up to date with all relevant legal issues and expertise.

Talk to Us

Email Us

Sign up for our Newsletter

Follow Us

Youtube Linkedin X-twitter

How can we help?

Scroll to Top