ASX-lister Australian Clinical Labs (ACL) is facing potentially multi-million dollar fines for its inadequate protection of sensitive financial and health data.
This follows a cyberattack in 2022 that resulted in the theft of customer data, including information on sexually transmitted disease screenings.
The Australian Information Commissioner, in a statement filed in the Federal Court, has accused ACL of having insufficient cybersecurity protections and not promptly informing authorities and customers about the breach.
Exposed patient details from the breach were subsequently leaked onto the dark web.
Data breach
The legal action initiated on November 3 by the Office of the Information Commissioner relates to a breach at Medlab Pathology, acquired by ACL in late 2021.
This breach occurred in February 2022 but the Office of the Australian Information Commissioner (OAIC) wasn’t notified until July 10. Approximately 21.5 million individuals were affected, with more than 100,000 having their personal, health and credit card information compromised.
Medlab, which provided services in New South Wales and Queensland, including prenatal genetic testing, fertility assessments and diagnostics for sexually transmitted infections, reportedly had minimal cybersecurity measures.
The OAIC's filing highlighted ACL's failure to conduct adequate cybersecurity assessments before acquiring Medlab.
Facing penalties
ACL faces penalties under the older Privacy Act rules, which can impose fines up to A$2.2 million per contravention.
The OAIC's filing revealed that Medlab's systems were breached via a phishing email by a group known as Quantum.
Despite ACL's substantial revenue and workforce, their cybersecurity capabilities were deemed minimal, and their response to the breach was described as chaotic.
The OAIC asserts that ACL did not take reasonable steps to protect the personal information it held, considering the nature of the sensitive data and the resources available to the organisation. ACL has stated that it will vigorously defend against the action.