Over 223,000 people had their personal information compromised
A February 2022 data breach has cost Australian Clinical Labs (ACL) $5.8m in the first civil penalties laid down under the Privacy Act 1988.
The penalties issued were set under the penalty regime in effect at this time. The maximum penalty was $2.22m per contravention.
“This outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament”, privacy commissioner Carly Kind said. “This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold”.
Australian Information Commissioner Elizabeth Tydd added that entities holding sensitive data “need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act”.
The cyberattack occurred with ACL’s Medlab Pathology business and compromised the personal data of over 223,000 people under s 13G(a) of the Privacy Act as a result of unauthorised access and exfiltration. The court broke down ACL’s penalties as follows:
Justice John Halley said in his decision that ACL’s conduct “had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience” and that the contraventions “had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals”.
“ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab Cyberattack, including whether it amounted to an eligible data breach”, the judge pointed out, noting that ACL’s Privacy Act violations “resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems”.
ACL confessed to its contraventions and agreed to the issuance of orders. The penalty was been lightened given that the company cooperated with the information commissioner’s investigation. Moreover, it initiated a program of works to boost its cybersecurity capabilities, according to the Office of the Australian Information Commissioner.
A new penalty regime was effected on 13 December 2022 that significantly increased the penalties for serious privacy interferences – the highest penalty can reach $50m per contravention, or thrice the benefit gained from the conduct, or up to 30% of a business’ yearly turnover per contravention.
