ACL penalised $5.8m over Medlab Pathology breach

Australian Clinical Labs (ACL) will pay penalties of $5.8 million over a 2022 data privacy breach at one of its subsidiaries, Medlab Pathology.

Medlab Pathology disclosed a data breach about 10 months after it happened, which impacted pathology test results, as well as payment and Medicare details.

The incident attracted a formal investigation from the Office of the Australian Information Commissioner (OAIC), which led to a civil suit being filed a year later.

The end result is $5.8 million penalty ordered by the Federal Court for breaching privacy laws, and $400,000 for the OAIC's legal costs.

The Court found that Australian Clinical Labs’ breach of privacy rules was not limited to failures to protect the personal information of its clients, which comprised $4.2 million of the total penalty.

It was penalised a further $1.6 million for failing to take reasonable steps to investigate the breach and notify the OAIC “as soon as reasonably practicable”.

Australian information commissioner Elizabeth Tydd said that the penalties would serve as a reminder to companies to remain vigilant when managing data contain personal information.

“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them ... appropriately," Tydd said.

Ransomware gang Quantum Group claimed responsibility for the attack, exfiltrating 86GB of data, which included sensitive health information about more than 223,000 individuals, and later publish it on the dark web, according to court filings.

ACL, in correspondence with a third-party cyber security provider, reached the conclusion that the breach was not eligible for notification under Australia Privacy Principles rules.

Around the same time Australian Cyber Security Centre (ACSC) became aware, via separate intelligence sources, that the ransomware attack had taken place and notified ACL that it may be required to report the incident.

However, ACL’s CIO told the ACSC that the company did not believe that any data had been stolen, and advised the company’s board that “(a)t this point we have no reason to believe any [personal health information] or company data was breached”.

It later became clear that the company’s assessment had been incorrect.

The ACSC sent ACL a second notice informing it that a third-party had detected the trove of data on the dark web.

The court found that the Medlab's antivirus software was incapable of preventing the malware being run on its system, that the company used weak authentication, used a firewall only capable of logging an hour of activity, used no form of file encryption and was running a version of Windows Server that, at the time, hadn’t been supported by Microsoft since January 2020.

The identity of the antivirus software provider was redacted from the court ruling.

ACL released a short note to the ASX informing the market that it must meet the court's orders by November 7.