This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Australian Clinical Labs

Summary

Australian Clinical Labs (ACL), a major pathology provider, suffered a data breach in February 2022 affecting approximately 223,000 Australians who had used Medlab Pathology services. The breach exposed highly sensitive health information including sexual health test results, fertility assessments, and prenatal genetic testing data. In November 2023, the Australian Information Commissioner commenced civil penalty proceedings, culminating in a landmark $5.8 million penalty—the first civil penalty ordered under the Privacy Act 1988.

What Happened

In December 2021, ACL acquired the assets of Medlab Pathology, a privately owned pathology business that provided health services in New South Wales and Queensland, including prenatal genetic testing, fertility assessments, and testing for sexually transmitted diseases.

In February 2022, a cyber attack on the Medlab information technology systems, combined with various cybersecurity deficiencies, led to a data breach. On 16 June 2022, the Australian Cyber Security Centre contacted ACL to inform them that approximately 80 gigabytes (later confirmed as 86 gigabytes) of data from the Medlab IT systems had been published on the dark web.

The breach occurred due to inadequate cybersecurity protections on the acquired Medlab systems. ACL failed to promptly inform authorities and affected customers about the breach after becoming aware of it.

Impact on Individuals

The breach affected approximately 223,000 Australians who had used Medlab Pathology services. The exposed data included varying combinations of:

  • Highly sensitive health information (sexual health test results, fertility assessments, prenatal genetic testing)
  • Contact information (names, addresses, phone numbers, email addresses)
  • Credit card numbers
  • Medicare card numbers

The exposure of sexual health and fertility information is particularly sensitive, as this data can lead to significant emotional distress, stigmatisation, discrimination, and blackmail. Unlike financial information, which can be changed, health information is permanent and deeply personal.

Organisational Response

On 2 November 2023, the Australian Information Commissioner commenced civil penalty proceedings against ACL in Federal Court, alleging multiple violations of the Privacy Act. The Commissioner accused ACL of having insufficient cybersecurity protections and not promptly informing authorities and customers about the breach.

In late 2025, the Federal Court approved a proposed civil penalty, ordering ACL to pay $5.8 million and contribute a further $400,000 to the OAIC's legal costs.

This case represents a groundbreaking moment in Australian privacy law, as it is the first civil penalty ordered by the Federal Court in the history of the Privacy Act 1988. The substantial penalty sends a strong message to organisations about the importance of cybersecurity and the obligation to protect sensitive personal information, particularly health data.

The UK Information Commissioner's Office and Canadian privacy authorities also conducted a joint investigation into related aspects of the breach.

Verification Source: View original statement