What we think
4 November 2025

Australian Information Commissioner secures civil penalty for dark web health information leak

Tom Jarvis, Christopher Sones, Joshua Devonshire
Curved data lines in blue and purple with a shallow depth of field, representing the concept of technology (broadly) or a computer network.

The Office of the Australian Information Commissioner (OAIC) has successfully secured a civil penalty of $5.8 million under the Privacy Act 1988 (Cth) (Privacy Act) against Australian Clinical Labs Limited (ACL) for contraventions arising from a data breach which led to the health records of 223,000 Australians being leaked onto the dark web. 

The judgment delivered by the Honourable Justice Halley on 8 October 2025, Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, helpfully clarifies the obligations on businesses when responding to cyber threats and the factors that the courts will consider when deciding on penalty. 

The facts 

On 19 December 2021, ACL purchased the assets of Medlab Pathology Pty Ltd (Medlab). Medlab was a pathology business providing parental genetic testing, fertility assessments and testing for sexually transmitted diseases. 

Medlab's information technology systems (Medlab's IT Systems) had several weaknesses that were not identified prior to ACL’s purchase. These vulnerabilities included: 

  • weak authentication measures;
  • a server running on a legacy system that had been unsupported by Microsoft since 14 January 2020; and
  • an antivirus software incapable of preventing certain malicious files from being written or run on its systems, amongst other problems.  

On or shortly prior to 25 February 2022, Medlab’s IT System was cyberattacked by a threat actor, known as the Quantum Group, who uploaded a ransomware and threatened to leak the infected data unless ACL paid a ransom.  

The Medlab IT Team Leader who was initially in charge had no training in how to respond to a cyberattack. ACL contracted StickmanCyber to investigate, respond to and advise on the cyberattack. 

StickmanCyber advised that the threat to leak the information was not genuine, dismissing it as a negotiating tactic. StickmanCyber’s investigation ceased on 1 March 2022 finding that no data had been exfiltrated.

However, on 16 June 2022, Quantum Group published 86 gigabytes of Medlab’s data concerning more than 223,000 people on the dark web. The information included identification information, contact and health information. ACL became aware that the customer data had been published on the same day. 

On 10 July 2022 almost a month later ACL notified the OAIC of the data breach.

The OAIC commenced proceedings on 2 November 2023.

Judgment – key elements
1. Serious and repeated interference with privacy 

Businesses are obliged to take “reasonable steps” to protect personal information from unauthorised access or disclosure.  

What constitutes “reasonable steps” depends on the totality of the actions taken by the business. This does not mean that businesses must follow an “optimal” path when responding to cyber instances. However, the obligation cannot be discharged by simply delegating it to another entity and doing nothing more. The standard that businesses must meet is to be assessed against a reasonable person in their position. 

The court found that ACL failed to take reasonable steps because: 

  • its cyber incident response procedures did not clearly define roles and responsibilities;
  • it had no application whitelisting in place to prevent unknown or unauthorised applications from running on its computers;
  • no data loss prevention was used to detect or prevent the theft of personal information and data held on the Medlab IT Systems; and
  • Medlab staff were not required to use multifactor identification to access the computer network, amongst other deficiencies.

Whether a contravention is “serious” depends on the business’s degree of departure from the standard of care and diligence expected of a reasonable person in that business’s position. 

The court held that ACL’s contravention was serious because of the extent of the Medlab’s IT System’s deficiencies, the high cyberthreat environment, the volume and sensitivity of the health information disclosed, and ACL’s reliance on a third party cybersecurity services provider.

2. Failure to conduct a reasonable and expeditious assessment 

The court held that ACL had subjective knowledge that disclosure of the sensitive personal information would likely result in serious harm to its customers. This knowledge should have prompted them to conduct a “reasonable and expeditious” assessment to determine whether the cyberattack amounted to an eligible data breach under the Privacy Act.  

The Court held that ACL failed to do so because StickmanCyber’s assessment:

  • only monitored three of the more than 127 computers affected;
  • did not investigate Quantum Group and its attack traits to determine whether it was likely that data was exfiltrated; and
  • only conducted a limited investigation to determine whether Quantum Group had established a persistence mechanism to stay connected to Medlab’s IT Systems.

This was a “serious” breach because of the volume and sensitivity of the information disclosed. 

3. Failure to notify of eligible data breach 

Where a business has reasonable grounds to believe that it has been subject to an eligible data breach it must notify OAIC “as soon as practicable”. 

The court held ACL had reasonable grounds on 16 June 2022 to determine that the data breach was an “eligible data breach” when it found its customer data published on the dark web. ACL breached its obligation to notify because it did not provide notice to the OAIC until 10 July 2022. 

What is a “practicable” amount of time will depend on the circumstances. Since the information required to be provided to the OAIC in the notification is not onerous the court will favourably view prompt notification. The notification only needs to describe the data breach, the type of information concerned and recommendations about the next steps to be taken. 

The court held that in this case two to three days was the practicable amount of time to notify the OAIC.  

Implications 

The case demonstrates the significant onus on businesses to maintain adequate cyber incident response systems and procedures.  

The case further illustrates that reliance on a limited investigation by a third party will not protect a business from liability and that a thorough investigation into the incident is necessary to inform the business’s response. 

After this proceeding was commenced the maximum penalty for a contravention of the provision protecting a serious interference with privacy for a body corporate has increased to the greater of: 

  • $50 million;
  • three times the value of that benefit; and
  • 30 per cent of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention. 

Insights

View more