ACL Fined $5.8M for Data Breach Affecting 223,000 Australians
Australian Clinical Labs (ACL) has been ordered to pay a substantial civil penalty of $5.8 million following a data breach that affected over 223,000 individuals. This marks the first time civil penalties have been imposed under the Privacy Act 1988 (Cth).
The Federal Court found that ACL failed to take reasonable steps to protect personal information, leading to a significant data breach. The company also failed to promptly report the breach and provide a statement to the Australian Information Commissioner. Privacy Commissioner Carly Kind warned that this case serves as a stark reminder to entities, particularly in the healthcare sector, of the severe consequences of failing to protect privacy.
The court noted that the breach was extensive and had the potential to cause significant harm to those affected. ACL has since cooperated with the investigation and taken steps to improve its cybersecurity capabilities. The maximum penalty under the new regime, which came into effect on 13 December 2022, can reach up to $50 million or three times the benefit derived from the conduct, or up to 30% of a business's annual turnover.
ACL admitted liability and consented to the orders made by the Federal Court. The company will pay a penalty of $5.8 million, reflecting the seriousness of the breach and the need for all entities to prioritise the protection of personal information.
