OAIC takes pathology company to court over data breach

Brandon How

Australia’s privacy watchdog is taking Australian Clinical Labs to court over a data breach that exposed the personal information of 223,000 Australians, a week after its regulatory actions were criticised in Senate Estimates.

The ASX-listed company, which owns Medlab Pathology, is alleged to have “seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988” between May 2021 and September 2022.

The firm collects millions of individual patients’ health information as well as other personal identifying and contact information to share test results and issue invoices. This also includes copies of Medicare cards and numbers.

Federal Court proceedings follow an investigation into ACL’s privacy practices. The investigation, which began in December 2022, was initiated after ACL’s Medlab Pathology business disclosed a February 2022 data breach.If found guilty, Australian Clinical Labs (ACL) may be liable to pay up to $2.22 million in penalties for each contravention of the Privacy Act identified by the court.

ACL has said it will be “defending the [Australian Information Commissioner’s] claim and asserts that its cyber security systems are robust”.

Australian Clinical Labs Pathology Lab at Adelaide Airport. Image: Leyton Property

The data breach “resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals”, according to the OAIC.The Office of the Australian Information Commissioner (OAIC) was notified of the February 2022 data breach in mid-July 2022. It disclosed the data breach to the ASX in late October 2022, stating that around 223,000 individuals had been affected.

“The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable,” the OAIC’s statement adds

The Notifiable Data Breach scheme requires organisations covered by the Privacy Act to notify affected individuals and the OAIC “when a data breach is likely to result in serious harm to an individual whose personal information is involved”, according to the regulator.

The OAIC alleges that ACL contravened section 13G of the Privacy Act, which outlines what constitutes an interference with the privacy of an individual.

New maximum civil penalties introduced at the end of last year for breaches of the Privacy Act do not apply since the period of the alleged breach was prior to the commencement of the changes.

In a statement, Australian Information Commissioner Angelene Falk said “organisations are responsible for protecting the information they hold, including effectively managing cyber security risk”.

“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.”

“When a data breach occurs, organisations are responsible for notifying the OAIC and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.

“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.

“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”

The civil proceedings come a week after Ms Falk was pressed during Senate estimates on perceived delays in its investigations of data breaches and the issuance of penalties.

Last Monday, Greens Senator David Shoebridge noted that the OAIC had been notified of 1,748 data breaches in the last two financial years but “not a single penalty has been issued”.

In response, Ms Falk said the office has worked to ensure the purpose of the notifiable data breaches scheme has been achieved, “which is that individuals are notified [so] that they can take steps to mitigate their risk”.

“We have had investigations running. They’ve been resolved by means other than by penalties. And I’ve said that we’ve got major investigations running now, which is a result of specific funding that has enabled that kind of regulatory activity and has been very welcome,” Ms Falk added.

Mr Shoebridge also asked what had gone wrong for OAIC not to have issued a penalty in the last two financial years, to which Ms Falk responded: “It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances”.

Editor’s Note: This story has been edited for clarity.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories