The Australian Information Commissioner has commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) resulting from an investigation of its privacy practices. The investigation arose as a result of a February 2022 data breach of ACL’s Medlab Pathology business that was notified to the Office of the Australian Information Commissioner (OAIC) on 10 July 2022. The OAIC’s investigation commenced in December 2022.
The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.
ACL’s business centrally involves collecting and holding millions of individual patients’ health information. ACL collects other personal information from patients in order to provide test results and issue invoices, such as personal identifying and contact information, and copies of Medicare cards and numbers. ACL generated revenue of $995.6 million in the financial year ending June 2022.
The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable. These are steps it was required to take under Part IIIC of the Privacy Act.
The Commissioner alleges that ACL contravened section 13G of the Privacy Act by reason of the following:
- breaches of Australian Privacy Principle (APP) 11.1(b), which requires an APP entity to take such steps as are reasonable in the circumstances to protect personal information it holds from unauthorised access
- contravention of section 26WH(2), which requires an APP entity to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and to take all reasonable steps to ensure that the assessment is completed within 30 days
- contravention of section 26WK(2), which requires an APP entity to notify the Australian Information Commissioner of an eligible data breach as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.
The February 2022 data breach resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals.
“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” Australian Information Commissioner Angelene Falk said.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime,” said Commissioner Falk.