Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224
The Federal Court of Australia has handed down a significant penalty of $5,800,000 after finding that a healthcare provider committed multiple serious breaches of the Privacy Act 1988 (Cth) (Privacy Act) arising from a major cyberattack in early 2022. The decision underscores the strict obligations imposed on organisations that handle sensitive information and the serious consequences of failing to protect individuals’ privacy.
Key Findings
The Court concluded that the respondent committed serious interferences with the privacy of more than 223,000 individuals, contravening s 13G(a) of the Privacy Act. The contraventions included:
- A breach of Australian Privacy Principle (APP) 11.1(b) for failing to take reasonable steps to protect personal and sensitive information on its IT systems from unauthorised access and disclosure.
- A contravention of s 26WH(2) by failing to conduct a reasonable and expeditious assessment of whether reasonable grounds existed to believe that a February 2022 cyberattack constituted an eligible data breach.
- A contravention of s 26WK(2) for unreasonably delaying notification to the Australian Information Commissioner regarding the eligible data breach.
The parties jointly proposed an aggregate civil penalty of $5.8 million, which the Court accepted as appropriate to promote both specific and general deterrence.
Jurisdiction
The proceeding was heard in the Federal Court of Australia.
Material Facts
The respondent operated healthcare services, including pathology services, and in late 2021 had acquired IT systems from another business. These systems stored a large volume of personal and sensitive information but suffered from significant cybersecurity deficiencies, including:
- weak authentication protocols,
- lack of data encryption, and
- reliance on unsupported legacy systems.
On or shortly before 25 February 2022, a cyberattack compromised the respondent’s systems, resulting in the exfiltration and dark web publication of 86 GB of personal and sensitive data relating to more than 223,000 individuals.
Despite this, the respondent:
- conducted inadequate investigations into the exfiltration,
- relied disproportionately on external cybersecurity providers, and
- failed to properly respond to signs that sensitive data had indeed been exfiltrated.
By 16 June 2022, the respondent had evidence confirming exfiltration. However, it did not notify the Australian Information Commissioner or affected individuals until 10 July 2022.
Applicable Law
The Court considered several legislative instruments, including:
- Privacy Act 1988 (Cth) – ss 13G(a), 26WH(2), 26WK(2), and APP 11.1(b)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012
- Privacy Amendment (Notifiable Data Breaches) Bill 2016
- Federal Court of Australia Act 1976 (Cth) s 21
- Regulatory Powers (Standard Provisions) Act 2014 (Cth) Pt 4
Reasons for Judgment
The Court emphasised the seriousness of the respondent’s failures, noting:
- The respondent did not implement adequate cybersecurity safeguards to protect highly sensitive information, in breach of APP 11.1(b).
- It relied unreasonably on a limited third-party investigation and failed to conduct its own thorough and expeditious assessment as required under s 26WH(2).
- It had reasonable grounds to suspect an eligible data breach but still failed to notify the Australian Information Commissioner “as soon as practicable,” contravening s 26WK(2).
- The sensitivity of the compromised data – including health and financial information—and the systems’ vulnerabilities compounded the seriousness of the breaches.
- The respondent’s delay in notification impeded timely regulatory oversight and guidance.
While the conduct was serious, the Court took into account mitigating factors such as the respondent’s cooperation, admission of liability, and subsequent remedial actions.
The agreed penalty of $5.8 million was held to fall within the appropriate range, sufficient to achieve deterrence without being excessive.
Decision
The Court made the following orders:
- Declarations that the respondent had contravened s 13G(a) of the Privacy Act.
- An order requiring the respondent to pay an aggregate pecuniary penalty of $5,800,000 for its contraventions.
Conclusion
This case marks a major moment in Australia’s privacy landscape. For the first time, a court has issued civil penalties under the Privacy Act 1988 (Cth) for failing to properly protect personal information during a significant data breach. As the first penalty of its kind, it shows that privacy breaches involving large amounts of sensitive information, particularly health data, are now being taken far more seriously. The $5.8 million penalty reflects the OAIC’s stronger stance on enforcement and serves as a clear warning to any organisation that handles sensitive data.
The decision also highlights a new level of accountability for privacy and cybersecurity management. Organisations must have strong governance and oversight in place from the outset, and cannot rely solely on external providers to manage security risks. This ruling reinforces the growing legal and financial consequences of poor privacy compliance and sets a clear expectation that all businesses maintain solid data protection and breach-response systems.
